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Preface 


IBM® Workplace™ for Business Controls and Reporting provides the knowledge 
and information management, as well as the portal and collaboration 
infrastructure, to help address internal business controls and reporting 
requirements. This IBM offering provides document management, collaboration, 
audit trails, and archiving functions in an integrated offering. The content 
repository technology forms the foundation for organizing control activities, 
disseminating information, and gathering the information required to help 
evaluate risk and monitor internal control systems. 

Whether you are a line-of-business executive, financial controls manager, 
auditor, or application administrator, this IBM Redpaper will introduce you to 
Workplace for Business Controls and Reporting and its administrative and 
operational features and best practices. This paper is intended for use after you 
initially install the product. 
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and Messaging technologies. She holds various technical product certifications 
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subject matter expert for the IBM Workplace for Business Controls and Reporting 
tool that helps manage compliance control frameworks for customers. 


© Copyright IBM Corp. 2005. All rights reserved. 



Cornells Van Der Woude is an IBM Certified IT Specialist and works in the 
Worldwide Technical Sales team as a Consulting IT Specialist. Cees 
(pronounced “case”) joined IBM/Lotus in 1999 with the acquisition of German 
Partner ONEstone and played a key role in driving the Lotus Workflow™ 
business. At the end of 2003, he shifted focus to the compliance area and has 
worked with and presented the IBM Workplace for Business Controls and 
Reporting solution to hundreds of executives around the world. 

Thanks to the following people for their contributions to this project: 

Jennie Dymacek, IBM Workplace Marketing Manager, IBM 

Rebecca Buisan, Compliance and Workplace Solutions, IBM 

David Eyerman, Senior Software Engineer, Solution Product SWAT Team, IBM 

Richard L. Brown, Product Program Director, IBM 

Devang Patel, Staff Software Engineer, IBM 


Become a published author 

Join us for a two- to six-week residency program! Help write an IBM Redbook 
dealing with specific products or solutions, while getting hands-on experience 
with leading-edge technologies. You'll team with IBM technical professionals, 
Business Partners and/or customers. 

Your efforts will help increase product acceptance and customer satisfaction. As 
a bonus, you'll develop a network of contacts in IBM development labs, and 
increase your productivity and marketability. 

Find out more about the residency program, browse the residency index, and 
apply online at: 

ibm.com/redbooks/residencies.html 


Comments welcome 

Your comments are important to us! 


x IBM Workplace for Business Controls and Reporting: Administration and Operations Best Practices 


We want our papers to be as helpful as possible. Send us your comments about 
this Redpaper or other Redbooks™ in one of the following ways: 

► Use the online Contact us review redbook form found at: 

ibm.com/redbooks 

► Send your comments in an email to: 

redbook@us.ibm.com 

► Mail your comments to: 

IBM Corporation, International Technical Support Organization 
Dept. HYJ Mail Station P099 
2455 South Road 

Poughkeepsie, New York 12601-5400 


Preface xi 


IBM Workplace for Business Controls and Reporting: Administration and Operations Best Practices 



Introduction to IBM 
Workplace for Business 
Controls and Reporting 


This chapter provides an overview and positioning of the IBM Workplace for 
Business Controls and Reporting system. In this chapter, we discuss the 
following topics: 

► The IBM response to the compliance challenge 

► What IBM Workplace for Business Controls and Reporting is 

► Overview of control frameworks, COSO, COBIT 

► Summary 
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1.1 Disclaimer 


Customers are responsible for ensuring their own compliance with the 
Sarbanes-Oxley (SOX) Act. It is the customer’s sole responsibility to obtain the 
advice of competent legal counsel as to the identification and interpretation of 
any relevant laws, including but not limited to, the Sarbanes-Oxley Act, that may 
affect the customer's business and any actions the customer may need to take to 
comply with such laws. IBM does not provide legal, audit, or accounting advice or 
represent or warrant that its services or products will ensure that the customer is 
in compliance with any law. 


1.2 Responding to the compliance challenge 

Many companies face internal controls-management challenges, such as 
compliance and risk management. An end-to-end solution, IBM Workplace for 
Business Controls and Reporting Version 2.5 provides an open 
controls-management platform that enables you to address your challenges in 
managing internal business controls. The open, standards-based platform of 
Workplace for Business Controls and Reporting supports documentation and 
reporting of internal controls based on the Integrated Internal Control Framework 
from Committee of Sponsoring Organizations (COSO) of the Treadway 
Commission and the Control Objectives for Information Technology, COBIT, 
internal control framework from the IT Governance Institute, as well as other 
internal control frameworks from international organizations, reducing complexity 
by using a single tool to meet multiple requirements. 

By integrating capabilities for knowledge- and information-management and 
leveraging a collaborative portal infrastructure, IBM Workplace for Business 
Controls and Reporting can help you in your efforts to effectively manage internal 
business controls and reporting requirements: 

► Provides an integrated controls management platform to easily document, 
evaluate, and report on the effectiveness of business controls. 

► Documents processes in a consistent manner to support the identification of 
risks and controls that facilitates the evaluation of control effectiveness. 

► Delivers a role-based, collaborative approach with executive dashboards, 
providing the ability to actively monitor the enterprise-wide control 
environment on a continuous real-time basis. 

► Offers enhanced organizational efficiency with support for multiple control 
types, shared controls, organizational movement, versioning, import, and 
e-mail alert capabilities. 
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► Enables you to get started quickly with the import of company-specific, 
third-party control catalogs or procedures directly from Microsoft® Excel®. 

► Leverages multiple, integrated collaborative capabilities to improve exception 
resolution, leverage existing skills, and help lower the total cost of compliance 
(TCC). 

In fact, a recent IBM survey reports that, “The majority of surveyed CFOs view 
the [Sarbanes-Oxley] compliance requirements as an opportunity to streamline 
systems and improve real-time business-process efficiency, even beyond the 
scope of any specific regulatory compliance.” 

To take advantage of this chance to improve internal processes while responding 
to Section 404 of the Sarbanes-Oxley Act, it is important for public companies to 
be able to: 

► Assess and report on the effectiveness of internal controls and processes in a 
timely manner 

► Implement new, and adjust existing, controls and processes 

► Manage massive volumes of critical business content that might be required 
to support your compliance initiatives 

► Simplify internal control processes by infusing control-related activities into 
employees’ daily routines 

► Continue using existing investments to help control costs 

To read more about this topic, refer to “Leverage on demand solutions to help 
you create strategic Sarbanes-Oxley compliance plans,” available at: 

ftp://ftp.software.ibm.com/software/lotus/pub/lotusweb/sox/10703070_Lotus_f 
inal.pdf 


1.2.1 Supporting the entire controls-management process 

IBM Workplace for Business Controls and Reporting can be an important part of 
your overall business-controls-management process. It provides you the ability 
to effectively document, evaluate, and report on internal controls while producing 
an audit trail, which enables you to track key changes. The capability for shared 
controls helps reduce testing efforts by enabling users to share evaluation results 
across business units and processes. The solution provides certification 
capability at the business unit and process levels, providing accountability for 
business unit and process owners, giving them the ability to certify that business 
units and processes are meeting company standards and to provide certification 
comments following the review of controls. 
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1.2.2 Taking a collaborative, role-based approach to controls 
reporting 

IBM Workplace for Business Controls and Reporting creates a role-based work 
environment that enables users to view information specific to their roles within 
the controls-management process. In addition, they can manage and share 
control documents, such as organizational charts, policies, and standard 
operating procedures, in a highly secure environment. Collaboration capabilities 
can help teams resolve issues and share information quickly with real-time 
communication through instant messaging, online discussions and meetings, 
and automatic e-mail alerts. 

All content related to your processes and business controls, as well as 
documents defining your policies and procedures or compliance processes, can 
be stored in the solution's controls database. This database can be accessed 
through the IBM Workplace portal by internal staff, auditors, external legal 
counsel, and others, as required and defined by your company. The solution also 
includes multiple standard reports with the ability to create custom reports so that 
your company can easily assess the effectiveness of its control activities, and 
then determine what modifications are necessary. Flexible reporting is provided 
with integrated support from leading third-party vendors; examples include 
Actuate, MicroStrategy, Business Objects, Cognos, and Hyperion. 

1.2.3 Enhancing efficiency with support for multiple control types, 
shared controls, e-mail alert capabilities, and more 

IBM Workplace for Business Controls and Reporting can help enhance efficiency 
by providing: 

► Support for a broad range of internal controls: Role-based access to key 
financial and non-financial controls enables users to quickly assess 
processes. Financial processes can be linked to key financial statement 
accounts to help with understanding the effect of a particular control on 
financial statement accuracy. 

► Global, shared controls: Controls that support multiple risks, even if not in the 
same business unit or process, can be tested once and then shared by other 
risks. The sharing of controls helps reduce the cost of testing by allowing a 
control to be tested once and applied broadly. 

► Versioning and trending: Versioning support enables the organization to 
create a version of its data at defined intervals. These versions remain online 
and can be used to gauge progress and trends. 

► E-mail notifications: Notifications through e-mail provide an efficient method 
of tracking significant changes and alerting users to expected actions. 
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► Automated organization movement: Organization movement enables anyone 
with the appropriate access rights to move an organizational unit and all 
related process and control documentation. 

► Process and control catalog import: Process and controls information that is 
stored either in spreadsheets or expressed as XML can be imported directly 
using a utility that ships with IBM Workplace for Business Controls and 
Reporting, thereby reducing the time to set up processes and controls. 

► Edit and rename user interface items: Label Manager, an administrative 
component of the solution, enables buttons, labels, and drop-down lists to be 
edited or renamed to match specific corporate language and terminology 
when required. 

► Extended value for your IT environment: Built on open Java™ 2 Platform, 
Enterprise Edition (J2EE™) standards, IBM Workplace for Business Controls 
and Reporting enables you to implement a modular solution, helping extend 
the value of your current IT infrastructure. 


1.2.4 IBM Workplace for Business Controls and Reporting overview 
and highlights 

IBM Workplace for Business Controls and Reporting provides the knowledge and 
information management, as well as the portal and collaboration infrastructure, to 
help address internal business controls and reporting requirements. This IBM 
offering provides document management, collaboration, audit trails, and 
archiving functions in an integrated offering. The content repository technology 
forms the foundation for organizing control activities, disseminating information, 
and gathering the information required to help evaluate risk and monitor internal 
control systems. 

Highlights include: 

► Provides a platform for an organization’s business reporting process and an 
organized approach to gathering information about business controls, 
including controls over financial reporting. 

► Assigns ownership over business processes, organizational units, and even 
individual controls. 

► Enables management to actively monitor the internal controls environment on 
a continuous real-time basis with executive dashboards, helping to provide 
visibility into the effectiveness of a company’s internal business controls. 

► Helps leverage industry insights and knowledge of internal control processes 
and practices using third-party control catalogs, available directly from 
vendors at a separate charge. 
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► Allows you to document the company’s control environment, helping to 
support the identification of risks and controls, and to facilitate the evaluation 
of the controls’ effectiveness. 

► Integrates multiple capabilities into a single platform to leverage existing skills 
within your organization and to help drive lower total cost of ownership (TCO). 

► Provides single-password access to content and services. 

► Archives each quarter’s or year’s data with enhanced archiving capabilities. 

► Uses role-based workplaces, which provide the repository for controlling and 
sharing control documents, such as organizational charts, policies, and 
standard operating procedures. The process flow capabilities enable 
processes to be standardized, automated, and verified. 

All content related to internal controls, documents defining policies, and 
procedure or compliance processes can be stored in the tool, which can be 
accessed by internal staff, auditors, the board, external legal counsel, and others 
as required. Reports can also be generated regarding material events so that the 
effectiveness of controls activities can be easily assessed. 


1.2.5 What is IBM Workplace for Business Controls and Reporting? 

IBM Workplace for Business Controls and Reporting helps provide a common 
platform for companies to easily document, evaluate and report the status of 
controls management across multiple initiatives in your enterprise. 

IBM Workplace for Business Controls and Reporting simplifies risk assessment 
and control management by addressing a wide range of business control-related 
challenges. The solution provides an open control environment that is fully 
compatible with the Integrated Control Framework from COSO, the COBIT 
internal control framework from the IT Governance Institute, and other internal 
control frameworks from international organizations such as the International 
Standards Organization (ISO) and Information Technology Infrastructure Library 
(ITIL). This solution marks a dramatic step forward to help companies move from 
compliance with Sarbanes-Oxley to general controls management. Additionally, 
by using the collaboration capabilities, companies can develop solutions to not 
only manage internal controls but also support financial reporting accuracy and 
real-time disclosures. 

It is a tool to help you document, evaluate, and report the status of your internal 
controls. IBM Workplace for Business Controls and Reporting supports both 
financial and non-financial controls and for internal controls for financial reporting 
(SOX controls). It also enables you to identify other reporting attributes that can 
be useful during your SOX audit. These include the COSO component, control 
type, and financial statement assertion. 
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IBM Workplace for Business Controls and Reporting can be used to support: 

► Your quarterly SOX filings under section 302. 

► Your annual SOX filings under section 404. 

► In addition, IBM Workplace for Business Controls and Reporting can be used 
to support your overall control management process for other COSO control 
categories, such as operational and compliance controls. 

► COBIT controls can also be recorded; however, the reporting for them will be 
COSO-centric. 

IBM Workplace for Business Controls and Reporting is a standards-based 
framework that is intended to help companies address a wide range of business 
control-related problems. 

Workplace for Business Controls and Reporting Version 2.5 and future versions 
will support an open control environment that is fully compatible with the 
Integrated Control Framework from COSO, the COBIT internal control 
framework from the IT Governance Institute, and other internal control 
frameworks from international organizations such as the International Standards 
Organization (ISO) and Information Technology Infrastructure Library (ITIL). With 
this structure, companies can now document, test, and report all of their internal 
controls in a single application. 

As mentioned earlier, IBM Workplace for Business Controls and Reporting 
supports both financial and non-financial controls and any control framework that 
is based on the basic control data structure (process-objective-risk-control); 
however, regardless of which framework is used at this point in time, the 
reporting will be COSO-centric. 


1.3 Control framework support 

IBM Workplace for Business Controls and Reporting is based on a risk-based 
hierarchical process structure from the Committee of Sponsoring Organizations 
(COSO) of the Treadway Commission Internal Control - Integrated Framework. 
This framework is based on a process -» subprocess -» objectives -» risks -> 
control hierarchy of processes to control. Using a risk-based approach provides 
great flexibility and allows IBM Workplace for Business Controls and Reporting to 
support other risk-based framework such as COBIT and International Standards 
Organization ISO-17799 control standards for security. 

In addition to supporting the process hierarchy contained in COSO's Integrated 
Internal Control Framework, IBM Workplace for Business Controls and Reporting 
also supports COSO-based control management through support for control 
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components and financial statement assertions. Both of these items are data 
attributes that can be associated with a control object. COSO uses an Internal 
Control Framework cube made up of five components. 

COSO defines each of the five components as follows: 

1. Monitoring: Provides an assessment of control status at a point and over time. 

2. Information and communication: Provides appropriate access to and flow of 
information. 

3. Control activities: Establish appropriate policies and procedures that ensure 
objectives are met. 

4. Risk assessment: Identification and analysis of risks that might hinder the 
achievement of objectives. 

5. Control environment: Includes people, organization structure, culture, 
governance structure, ethical standards, business processes, and so on. Sets 
the tone that influences control consciousness. 

For more detailed information about COSO and the COSO Internal Control - 
Internal Framework, see the COSO Web site at: 

http://www.coso.org 

COBIT is a governance framework for managing the information technology 
functions, resources, and activities. It contains guidance for topics beyond 
control management, such as key performance indicators and other performance 
management areas. IBM Workplace for Business Controls and Reporting 
addresses the control management aspects of COBIT, and IBM Workplace for 
Business Execution addresses the performance management-related aspects. 

To help companies understand how COBIT control structures can be used to 
support Sarbanes-Oxley compliance efforts, the Information Systems Audit and 
Control Association (ISACA) published IT Controls for Sarbanes Oxley. In this 
publication, ISACA provided the modification of the COSO cube that we 
discussed previously. 

For further information about ISACA, COBIT, and IT Controls for Sarbanes 
Oxley visit the ISACA Web site at: 

http://www.isaca.org 


1.4 Summary 

IBM Workplace Business Controls and Reporting provides: 
► Support for decision making and disclosure 
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► Role-based access to key financial indicators that enable you to quickly 
assess your processes 

► Information for an on demand environment 

You can respond rapidly to changing needs, helping to create a 
high-performance workforce. Also, the solution provides effective 
management for collaborative creation, storage, access, and distribution of 
content. Robust document management can help with audit trails, access 
control, and security. 

► Information to help improve productivity 

By helping to provide the right information at the right time, such as 
information about standard operating procedures, you can help to drive 
improved business productivity across your organization. Presence 
awareness and online chat can help improve communication and help resolve 
issues quickly through real-time collaboration. 

► Extended value for your IT environment 

Built on open Java 2 Platform, Enterprise Edition (J2EE) standards, IBM 
Workplace for Business Controls and Reporting enables you to implement a 
modular solution, helping extend the value of your current IT infrastructure. 
Built on industry leading IBM WebSphere Portal and IBM DB2® Content 
Manager software, IBM Workplace for Business Controls and Reporting 
allows infrastructure flexibility while providing all of the benefits and continued 
support of one of the world’s largest software vendors. 

► Internal controls reporting: A closer look 

The solution is designed to help you tailor your company’s control 
assessment process to match its specific needs, and then to disperse 
requests to report on these points of control to your operational units. 
Individual reporting units describe how they comply (or do not comply) and 
provide documentation in support of those claims. With all units reporting, you 
can have a picture of the company’s overall compliance effectiveness. This 
can reveal to senior management where further efforts might be needed or 
where the desired controls posture has been achieved—with supporting 
materials. 

In the following chapters, we discuss the operation and functionality of the IBM 
Workplace for Business Controls and Reporting system, features for the IBM 
Workplace for Business Controls and Reporting application administrator, and 
some high-level planning and deployment methodologies. Whether you are a line 
of business executive, financial controls manager, auditor, or application 
administrator, this Redpaper will introduce you to Workplace for Business 
Controls and Reporting and its administrative and operational features. 
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IBM Workplace for Business 
Controls and Reporting 
functional operations 


This chapter describes the functional operations and use of the IBM Workplace 
for Business Controls and Reporting system. In this chapter, we discuss: 

► Software methodology overview 

► User access and profiles overview 

► Navigation within the application 

► Setting up an organization 

► Creating financial statements 

► Creating documentation and the process hierarchy 

► Evaluating the test procedure and controls 

► Certification functionality 

► Reporting and monitoring 
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2.1 Software methodology overview 

The general flow of work in IBM Workplace for Business Controls and Reporting 
follows four stages: scope, document, evaluate, and report. Although Figure 2-1 
shows reporting as a linear step that occurs at the end, there is reporting in all of 
the stages of IBM Workplace for Business Controls and Reporting. We describe 
each of these stages in greater detail in the following sections. 



Figure 2-1 Business process review 


There are three stages to process of Workplace Business Controls and 
Reporting, scoping, documentation, and evaluation, while the reporting can be 
seen as the result of those phases. 

The scoping and documentation stages are usually done by relatively small 
groups of people in your organization. 

The evaluation stage is usually done by a much larger constituency of end users. 
These users are the control and procedure owners who are responsible for 
evaluation of the control test procedures. Later, assessments can be made on 
controls to determine whether they are effective or not. 

Finally, reporting and monitoring are a result of previous phases. 

Figure 2-2 on page 13 shows a detailed flow chart of the software methodology. 
The next few sections discuss each of the stages in detail. 
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Figure 2-2 Software methodology tree 


2.1.1 Scoping: Organization 

There are three parts to the scoping phase within the application: 

► Defining and setting up the organization units 

► Identifying the significant accounts in your financial statements 

► Loading the control catalog and the significant accounts through the catalog 
import 

Note: We discuss this last item in 3.5.2, “Data import” on page 174. 

If we look at the organization portion of the scoping phase, it is the part of the 
application where you define your organization’s business unit hierarchy. We use 
the term business unit (BU) loosely, and depending on your organization’s control 
structure, this can mean that you create the hierarchy by division, business unit, 
region, business function, product line, and so on. 
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There can be any level of depth or breadth in the organizational hierarchy. 
However, there is only one single top level unit that we refer to as the parent 
company. When you define the business units, you also assign or delegate 
ownership for each BU. This enables you to define ownership and authorities. 
Figure 2-3 illustrates business units. 


• 'Mirror” YOUR Corporate Structure 


• Define Organization 


• Define Financial Reports 

• Assign Owners 


T Parent Company 



Figure 2-3 Business units: Scoping phase 


2.1.2 Scoping: Financial statements 

The three financial statements included in IBM Workplace for Business Controls 
and Reporting are also defined as part of the scoping phase: 

► Balance sheet 

► Income statement 

► Disclosures 

Prior to the determination of the effectiveness or ineffectiveness of controls, the 
financial statements help a company to scope the controls that should be the 
focus of its efforts by helping them to understand which of their controls support 
significant accounts in the financial statements. 

The reason you want these defined up front is so that during the documentation 
phase, the subprocesses can be linked to the individual, significant line items on 
the financial statements. That way, if controls are found to be ineffective, you will 
know where and what level of impact that will have on the financial data. Keep in 
mind that up-to-the-minute financial data is not required for the financial 
statements, nor is this function meant to take the place of your existing financial 
systems. 


Note: Version 2.5.1 contains support for federal financial statements. For 
more information, see “Template supports federal financial statements” on 
page 197. 
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2.1.3 Documentation 

As a reminder, the process tree looks as follows: 

Process Subprocess -> Objective -> Risk -> Control -> Procedure 

The process tree consists of the following components: 

► Processes are defined and associated with a business unit. 

- As the software methodology indicates in Figure 2-4 on page 16, a 
process can also have its own ownership or delegated ownership that 
provides access control in the same way it does at the business unit level. 

- A process has one or more subprocesses. 

► Subprocess are subunits of a process and can have one or more objectives, 
which is the desired status for that subprocess. 

- Subprocesses can be linked to any number of significant line items on the 
financial statements. 

- You can attach process documentation (any file type and any number of 
files can be associated with a subprocess as part of the documentation 
effort). See 2.6.3, “Attachments and URLs” on page 64 for more 
information. 

► Each objective can be associated with one or more risks that stand in the way 
of achieving the objective. 

► Each risk can be associated with one or more controls that mitigate or 
eliminate the risk. 

► Each control can be associated with any number of test procedures. 

- Ownership can be defined or delegated again at this level. 

- You can also link to a single control that is shared across multiple 
processes or business units, or both. 

► Test procedures outline the test steps that the control owners or procedure 
owner will follow before assessments are made as to whether the control is 
effective or ineffective. 

- Ownership can be defined or delegated again at this level. 


Note: Notice at the subprocess and procedure level that you can attach or 
reference specific documentation within the tool. You can attach any file 
format (flowcharts, spreadsheets, Microsoft Word documents, and so on) that 
describe the processes or procedures. In Version 2.5.1, you can also attach 
documentation at the process level. 
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Figure 2-4 Documentation phase methodology 


2.1.4 Evaluation 

During the evaluation stage, procedures are executed to determine the 
effectiveness or ineffectiveness of the controls. Procedures can be based on a 
variety of audit techniques, including sampling, walk-throughs, interviews, and 
reviews. Failed samples can be remediated, and a history of sampling will be 
kept. 

Documentation can be attached at the procedure level to record evidence of 
testing. 

Lastly, though not visible in the tree diagram, you will give access to someone 
who has an overall process perspective to create a control observation record for 
the controls in the system. This enables the assigned person to specify any 
deficiencies, impact, and recommendations and indicate whether there are any 
mitigating controls to make up for any deficiencies for each individual control. 
You have the ability to create a control observation for controls that have been 
tested both ineffective or effective. See Figure 2-5. 


Evaluate / Report 

CH •“ I- .- j 

• Test Defined Controls 

1 S>mple p-| 

• Determine Effectiveness 

• Remediate Controls 

i_*L— ————— 1 


Figure 2-5 Evaluation/report methodology 
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2.1.5 User access control example 

In Figure 2-2 on page 13, you will notice little people icons in some of the boxes 
throughout the methodology tree chart. These icons represent at which levels we 
assign ownership or delegate ownership. 

In this example, if you are assigned as the owner of Business unit A-2, you would 
own this business unit and anything (down to the procedure level) that comes 
below it. By default, you can add, edit, and remove anything below and be able to 
read all information that is defined in a direct line leading to the top-level business 
unit. Therefore, you will see business unit A and the parent company, but you 
might not be aware that business unit A-1 or business unit B existed because you 
would never even see these in the system. 

Similarly, a user can log in as a control owner and see where in the hierarchy it 
falls in a read-only line above it, but only see the hierarchy for the controls for 
which they have ownership or delegated ownership. 

The granularity of access can be controlled further as described in 3.2, “IBM 
Workplace for Business Controls and Reporting access control” on page 125. 


2.1.6 Reporting and monitoring 

Reporting and monitoring occur throughout the entire process and not just at the 
end. There is reporting to support each of the three previously discussed steps. 
IBM Workplace for Business Controls and Reporting provides reports through 
both a graphical Executive View that supports drill down to textual reports and 
standard textual reports. We discuss this in much further detail in 2.9, “Reporting 
and monitoring” on page 103. 

The overall objective of IBM Workplace for Business Controls and Reporting and 
the business process that we just discussed are to help establish a sustainable 
business process. To achieve sustainability, organizations and the applications 
that support them must be able to effectively deal with change. Change can 
come in the form of organizational, people, or process changes. 

IBM Workplace for Business Controls and Reporting can support change through 
the following features: 

► As organizational/business units move within your organization, IBM 
Workplace for Business Controls and Reporting can support those changes 
through the organization move capabilities. 

► As people change jobs or roles, their access can be modified to reflect their 
new roles and new people can be assigned to their old role easily. 
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► As processes change, the documentation can be changed through the 

dynamic update feature. 


2.2 User access and profiles overview 

Now that you have a good idea of the software methodology, it is useful to talk 
about the various types of users that might be using IBM Workplace for Business 
Controls and Reporting. An in-depth look at creating and managing roles within 
the tool is in 3.2, “IBM Workplace for Business Controls and Reporting access 
control” on page 125. 

There are five main categories of users within the application: 

► Super users 

► Business unit/process/subprocess owners 

► Control owners 

► Procedure owners 

► Auditors 


2.2.1 Super users 

The first group of users to consider are the super users, or power users. These 
are individuals who will have the greatest knowledge about IBM Workplace for 
Business Controls and Reporting and will generally become internal training 
resources. Within your company, they will usually be a part of the compliance 
project office and will have global access to the application. These users are 
more than likely to have the responsibility for: 

► Creating the organizational hierarchy and adding the business unit structure 
into the application 

► Adding the financial reports to the system 

► Importing control catalogs 

► Administering the application functionality 


2.2.2 Business unit, process, and subprocess owners 

The next group of users are the business unit, process, and subprocess owners. 
They are generally the users who are responsible for: 

► Allocating assignment of resources to document processes and controls and 
evaluating the testing and controls 
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► Certification, if business units and subprocess certification are used 

► Determining the level of impact of ineffective controls 


Tip: Users with this role should use the My Lists section of the application to 
access areas of responsibility. This will simplify the use of IBM Workplace for 
Business Controls and Reporting. See Figure 2-6 for an example. We discuss 
the user interface in greater detail in 2.3, “Navigation within the application” on 
page 20. 



Figure 2-6 A look at My Lists 


2.2.3 Control owners 

Control owner resources are generally assigned by either the process or 
subprocess owner. They are responsible for: 

► Documentation of controls and evaluation procedures 

► Initial determination of individual control status based on evaluation results 

► Certification status of controls based on company standards 

These users are usually not responsible for impact ratings because they will 
normally not have a sufficient perspective to make that decision. 

2.2.4 Procedure owners 

Procedure owners are responsible for the execution of the testing instances 
(referred to as procedures and samples in IBM Workplace for Business Controls 
and Reporting). They record the results of the testing and record if it passed or 
failed. They are responsible for the remediation or gap plans from an IBM 
Workplace for Business Controls and Reporting perspective. However, they 
might not be directly involved in the execution of all or part of the plan. Internal 
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auditors who are responsible for evaluations can also be assigned to evaluation 
roles. These users are responsible for: 

► Documentation of evaluation procedures and test plans 

► Execution of evaluation procedures and conclusions regarding evaluation 
results 

► Recording evaluation results in the tool 

► Certifying the status of evaluations based on company standards 


2.2.5 Auditors 

When we refer to auditors in the context of IBM Workplace for Business Controls 
and Reporting, we are generally referring to internal auditors. For a variety of 
legal reasons, external auditors will generally record their work papers in a 
client’s work paper environment. However, internal auditors can and often do 
have read-only access to the system. 

Auditors review the results of evaluations and provide feedback on evaluations 
results and control effectiveness. The also have the ability to directly comment 
on each evaluation procedure. 


2.3 Navigation within the application 


Important: Throughout this chapter, we are describing the default settings for 
this application. Make note that some of the following behavior can be 
changed based on specific application settings available to administrators, as 
described in 3.3.1, “Global settings” on page 135. 


IBM Workplace for Business Controls and Reporting is based on IBM 
WebSphere Portal technology, which provides the user interface to the 
application through pages and portlets. Pages provide us access to the various 
areas of focus of the application, and portlets provide windows into specific 
functionality within the tool. 

When you log in to the application, you will notice the following pages or tabs 
(see Figure 2-7 on page 21): 

► Home: An overview of the application. 

► Executive View: The place to report on the status of your control framework. 

► Documentation: The area where you will import or develop process 
documentation. 
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► Evaluation: The tab where evaluations of controls and test procedures take 
place. 

► Organization: Where you create and maintain your organizational hierarchy. 

► Reports: The place to view reports. 

► Financial Reports: The area to create or view financial reports within the 
application. 

► In Version 2.5.1, a new tab has been added for Settings: This is where you 
administer application settings. 
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Tip: If wanted, you can use WebSphere Portal (Portal for short) to customize 
IBM Workplace for Business Controls and Reporting: 

► The theme can be branded to match your company’s look and feel. 

► For additional security, you can provide access control to each of the 
pages based on what type of user is accessing the application. 

For example, a control owner might not need access to the Organization 
tab. 

Refer to the IBM WebSphere Portal Information Center for information about 
how to customize themes and how to apply security to pages, available at: 

http://publib.boulder.ibm.com/pvc/wp/500/ent/en/InfoCenter/index.html 


2.3.1 Orientation to the application 

Each page has two portlets, Navigator and Detail , that provide access to the 
various objects maintained in the application. Each of these portlets is made up 
of two parts, giving us four quadrants. See Figure 2-8 on page 23. 
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Figure 2-8 Navigation with portlets 

As shown in Figure 2-8: 

► The upper-left quadrant of the window is the primary navigation area and is 
often referred to as the tree. The tree contains the hierarchy for the 
organization and the process structure. 

► The area in the lower-left quadrant is what we refer to as My Lists. This 
provides you with the ability to search for information or pull up relevant lists 
of objects that you own directly or indirectly, such as all the controls for which 
you are responsible. We discuss this in more detail in 2.3.2, “Navigation 
options (how to get around)” on page 25. 

► The area in the upper-right quadrant shows all the details of the object that 
has been selected. You will also note that any actions that are available for a 
specific object are shown as buttons in this portlet. 
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► The area in the lower-right quadrant shows the next level details, the 
children, of the object that is selected in the main navigational window. 

For example, if you are looking at a business unit, you will either see 
dependent business units or its processes below, or both. Or, if you are 
looking at an objective as the main object, you will see the risks listed in this 
area. 


Important: On the tabs for Organization, Executive View, and Reports, the 
tree and details only show business units. When the Documentation or 
Evaluation tabs are selected, both the business unit and the process/control 
hierarchy are shown. 


IBM Lotus Sametime integration (instant messaging) 

You have the option to install and implement Lotus Sametime® instant 
messaging functionality within the context of the IBM Workplace for Business 
Controls and Reporting application. With this functionality, you will be able to 
view whether a person is online and available to communicate in real-time 
through instant messages. 

In Figure 2-9 on page 25, you can see that Jessica’s name is in green with a 
green box in front of it. This means that she is online and available for 
conversation. If a user was logged in but away from their desk, the name would 
be yellow with a diamond, as in the case of Terrence. If someone was online but 
did not want to be disturbed, the name would be black with a do not disturb sign 
in front of it, as in the case of Philip. 

If we wanted to communicate with any of these users, we simply click their name 
and initiate an instant message session, as shown in Figure 2-9 on page 25. 

This concept of presence awareness is extremely valuable if you need an 
immediate answer or advice from a user who is working in the application. 
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Figure 2-9 Sametime integration in IBM Workplace for Business Controls and Reporting 


2.3.2 Navigation options (how to get around) 

There are three common ways of navigating within IBM Workplace for Business 
Controls and Reporting: the Tree View, Search for, and My Lists areas. 

Tree View 

The tree is navigated by clicking the plus and minus (+/-) icons to expand or 
collapse the hierarchy for a particular object, as shown in Figure 2-10 on 
page 26. On the Documentation and Evaluation tabs, you can drill all the way 
down from the parent organizational unit to the test procedures for a particular 
control. 

When you select the Executive View or Organization tab, the Tree View expands 
to only business units. 
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When you select the Documentation, Evaluation, or Reports tabs, the Tree View 
includes and expands to: 

► Business units 

► Processes 

► Subprocesses 

► Objectives 

► Risks 

► Controls 

► Procedures 



Figure 2-10 Tree View portlet for navigation expanded to a subprocess 

Search for 

In the lower-left quadrant, as shown in Figure 2-11, you also have the ability to 
search for an object within the system. 

Type a portion or complete name of an object in the Search for box and then 
select the scope of the search by selecting an area under the Search in 
drop-down list. Finally, click the magnifying glass icon to start the search. This 
will result in the application displaying a list of objects that match your search 
criteria from which you can select the object you want. 



Figure 2-11 Search for navigation 
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Important: In Version 2.5 or earlier, this search is case dependent. Therefore, 
if you want to find EMEA Operations, you cannot use a lowercase “emea” to 
find it. This restriction has been removed in Version 2.5.1. 


My Lists 

The My Lists component generates lists specific to a user that logs in to the 
system. This is a powerful way for users that have limited roles within IBM 
Workplace for Business Controls and Reporting to quickly get in and perform the 
tasks that are assigned to them. Available lists are dependent on the tab that is 
active. 

When you select the tab for Organization, Executive View, or Reports, My Lists 
include My Business Units. 

When you select the Documentation or Evaluation tabs, My Lists include: 

► My Business Units 

► My Processes 

► My Subprocesses 

► My Controls 

► My Procedures 



Figure 2-12 My List component 

When a specific list is selected from the drop down list, and the user clicks the 
arrow icon, a list of the controls for which they have ownership appears. 


Example: A control owner that has a number of controls assigned can get in 
and quickly generate a list of controls that he or she owns without having to 
navigate through the tree hierarchy one object at a time. See Figure 2-13 on 
page 28 for this example. 
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My Lists can be displayed for objects that are directly owned or indirectly owned 
by selecting the Include items I own indirectly option. Indirectly owned items 
include those objects for which the user has been defined as a delegate (rather 
than the owner) and those objects that the user implicitly owns because they 
have been granted explicit owner or delegate access at a higher level in the tree. 


Example: If you are listed as a delegate for a business unit or process and 
you select the Include items I own indirectly option, it will also display those 
business units or processes in the results. 

If you are the owner of a process and look for My Procedures while Include 
items I own indirectly is enabled, the list will contain all of the procedures for 
that process. 



Figure 2-13 My List results from selecting “My Controls” with an indirectly owned control in the list 
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The portlets and components on each page communicate with each other to 
display the appropriate, related objects. When an object is selected from the list 
of results, IBM Workplace for Business Controls and Reporting automatically: 

► Expands the tree component to show where in the hierarchy you are currently 
working 

► Sends the object to the details component in the upper-right quadrant 

► Shows any child objects related to that object in the lower-right quadrant 

See Figure 2-14 for the results of selecting the Involve users in review control 
from the My Controls list. 



Chapter 2. IBM Workplace for Business Controls and Reporting functional operations 29 


































2.3.3 Audit trail overview and detail 

In Figure 2-14 on page 29, you might have noticed a Show Audit Trail button. The 
Audit Trail button appears throughout IBM Workplace for Business Controls and 
Reporting for each of the objects in the system. The audit trail tracks details 
about any changes to an object so that you can easily track the following 
information: 

► When did the change happen? 

► Who made the change? 

► What change was made? 

► What were the values before and after the change? 

Figure 2-15 on page 31 is an example of an audit trail for the EMEA IT business 
unit. 
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For this example, you can see that all the changes to this business unit have 
been tracked from the moment it was added to the system. We see items 
such as: 

► March 7: The addition of the business unit to the system. 
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► March 9: The move of the business unit from AP Ops to EMEA Ops. 

► April 5 and June 15: Certifications of the business unit took place. 

► June 17: The scope for the business unit was changed. 

► You will also notice that on several dates and times the Owner and Delegate 
fields were updated. We can tell this because the Show User Details button 
appears in the Value after column. Figure 2-16 is an example of this drill down 
report if we were to click the Show User Details button. 



Figure 2-16 Show User Details button in Audit Trail 

The following items are available to track through the audit trail: 

► Organizational unit 

► Process 

► Subprocess 

► Objective 

► Risk 

► Control 

► Procedure 

► Financial statement 

► Financial statement category 

► Financial statement caption 

► Financial statement subcaption 

► Control execution 

► Control observation 

► Control evaluation 

► Linkage between risk and objective 

► Linkage between risk and control 

► Linkage between subprocess and financial statement subcaption 

► Attachment 

► Certification 
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► ACL 

► User 

► Role 

► Move organizational unit 

Note: If objects are deleted, this is recorded in the audit trail of that object’s 
parent. 


2.4 Setting up an organization 

Setting up the organizational structure and hierarchy is done in the Organization 
tab of the application and is a part of the scoping phase of the overall project. 

Organizational units represent how controls and related documentation are 
organized and managed within IBM Workplace for Business Controls and 
Reporting. This structure can represent the actual corporate structure or can be 
optimized to better support control management. 

It is important to note that reporting is driven from the organization structure. 
Another point to consider when developing the organization structure is how 
reporting will be managed. 


Example: If you are including COBIT controls and want to see domain 
reporting, you can achieve this objective by setting up COBIT domains as an 
organizational unit. 


Figure 2-17 on page 34 shows the fields that you need to complete when adding 
an organizational unit to the structure, and Table 2-1 on page 34 provides a 
description of each field. 
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Figure 2-17 Organizational unit fields 
Table 2-1 Field values for an organizational unit 


Field 

Value 

Description 

Name* 

Text 

The name of the organizational unit. 

Description 

Text 

A free form text field to document a 
description. 

Outline 

Text 

A text field to enable you to apply an 
outline structure to your business units. 

Rating* 

► None 

► Satisfactory 

► Marginally Satisfactory 

► Unsatisfactory 

This field is where you can optionally 
apply a rating for the business unit. 
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Field 

Value 

Description 

Scope* 

► Aggregated-lmportant 

► Aggregated-Not-Important 

► Individually Significant 

► Significant Risk 

Companies with multiple business units, 
geographic locations, or reporting units 
might need to determine which locations 
are relevant and should be included in 
their assessment. Management might 
consider which locations are financially 
significant in terms of the potential for a 
material misstatement. It is likely that a 
relatively small number of locations or 
business units encompass a large portion 
of the company’s operations and financial 
position. Management also might consider 
whether there are locations that have 
specific significant risks or whether 
individual locations or business units that 
are not significant by themselves might be 
financially significant when aggregated 
with others. 

Rationale 

Text 

This is where you can explain the rationale 
for choosing the pervious options. 

Owner* 

User name 

A selection box that designates who has 
ownership of the organization unit and is 
considered legally accountable. Only one 
owner is allowed for each business unit. 

Delegates 

User or group names 

A place to chose one or more users or 
groups who need delegated access to the 
organization. These users have the same 
default access as the owner. 

| * These fields are required in order to create an organizational unit. 


Tip: If your organization uses different terminology for the values in the 
drop-down lists that are available at the various objects, you can use the Label 
Manager functionality to change, add, or remove values on those lists. For 
more information about Label Manager functionality, see 3.3.2, “Customizing 
the IBM Workplace for Business Controls and Reporting labels” on page 148. 
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Restriction: Many objects in the application have similar fields. For several of 
these fields, there are limitations on the size of the fields. We consolidated the 
list here for your convenience: 

► Name fields: 512 characters 

► Description fields: 1024 characters 

► Rationale fields: 1024 characters 

► Procedure comments: 1024 characters 

► (Auditor) Observations: Deficiency, Implication, Recommendation, 
Mitigating control: 254 characters each 

► Attachment titles: 1024 characters 

► Attachment file names: 254 characters 

► Certification comments: 1024 characters 


Important considerations regarding delegates 

All of the objects in IBM Workplace for Business Controls and Reporting that can 
be assigned an owner can also be assigned a delegate. Delegates are used to 
assign responsibility or access to additional individuals. In making a delegation 
assignment, the owner specifics the individual or individuals that are to be 
assigned as delegates and their role. The role designation will govern the rights 
that the delegate will have relative to the object. This capability provides object 
owners with a powerful capability to allocate work and provide access while 
retaining the original accountability. 

However, this capability is not with out potential for problems if not implemented 
and used properly. Potential concerns with delegation are that it could undermine 
segregation of duties or diffuse accountability. The following sections provide 
examples of how a delegate designation might undermine segregation of duties 
or diffuse accountability. 

Undermine segregations of duties 

To support segregation of duties, a company has a policy that process and 
subprocess owners cannot also own the underlying controls. The manager of 
accounts payable (AP) is assigned as a process and subprocess owner, and the 
accounts payable supervisor reporting to the manager is assigned as the control 
owner for all controls. As part of normal business practices, the AP manager will 
delegate all of their responsibilities to the AP supervisor. The AP manager goes 
on vacation and delegates all responsibilities including IBM Workplace for 
Business Controls and Reporting to the AP supervisor. The AP supervisor is now 
effectively the object owner for the AP process, subprocesses, and controls. The 
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segregation rule regarding process and subprocess ownership and controls has 
been violated. 

Diffuse accountability 

IBM Workplace for Business Controls and Reporting supports the assignment of 
an unlimited number of delegates to any available role. The object type 
determines available roles, for example, a delegate to a process object should 
not be made to an organization object role (that is, organization helper). 
However, if too many people are assigned as delegates or role designations are 
not clear, it becomes unclear who is responsible for what. 

Considerations when making delegate assignments 

To address these concerns, we suggest the following guidelines: 

► For delegations that will have similar rights to the object owner, assign 
delegates from another functional unit when segregation of duties issues 
exists. In the previous case, delegating to the payroll manger addresses the 
issue. 

► Limit the number of delegates and roles to a particular object. This is 
especially important where delegates will have the ability and responsibility to 
update the object. 

► Make delegation designation assignments temporary or for a specific purpose 
that is clearly defined and articulated. 

However, it is important to note that the purpose of this discussion is not to 
discourage the use of delegations. As stated earlier, delegations provide IBM 
Workplace for Business Controls and Reporting users with tremendous flexibility 
to manage control management work activities. The objective of this section is to 
provide information about potential problems that might be created through a 
delegation assignment and to provide guidance about how to avoid those 
problems. With proper planning and consideration, delegations can provide 
tremendous opportunity to provide access to individuals that need to review 
information in IBM Workplace for Business Controls and Reporting or perform 
tasks within it. 

E-mail notifications 

E-mail notifications can be set up to be sent out when specific changes are made 
to the organization unit and other objects within IBM Workplace for Business 
Controls and Reporting such as: 

► Business unit 

► Process 

► Subprocess 
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► Objective 

► Risk 

► Controls 

► Test procedures 

► Import 

► Control evaluations 

Rules are based on selections made in the Notification section. We discuss this 
in detail in 3.4, “Configuring notifications and alerts” on page 152. 

2.4.1 Adding a business unit 

The top-level business unit is created when the application is installed and set up 
for the first time. After that is completed, use following process for creating a 
business unit (see Figure 2-18): 

1. Go to the Organization tab. 
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Figure 2-18 Organization tab 
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2. Select the level within the organization tree hierarchy under which you want 
the new business unit to be placed. 

3. Click the Add Business Unit button in the bottom-right quadrant. 

4. Fill in the appropriate fields described earlier. 

5. Click OK. 

Your new business unit has been created in the hierarchy. 

2.4.2 Adding or changing an owner or delegate 

When you create a business unit, process, subprocess, control, or process, it will 
default the ownership to the person who is creating that object. A user will only 
be able to create objects if that user is permitted access in two ways: 

► If the user has administrator rights to the system (discussed in further detail in 
3.1, “Administrative responsibilities” on page 118) 

► If the user is listed as an owner at one or more levels higher than the user 
needs to create the object. 


Example: If you need to create a finance business unit under NA 
Operations, you need ownership or delegated ownership at the NA 
Operations business unit level or the ACME parent organization in this 
scenario. 


Changing an owner 

To change an owner, perform the following steps: 

1. Make sure that you are in Edit mode for the object you want to change by 
clicking the Edit button in the Details window. 

2. To change an owner, click the pencil icon next to the Owner field, as shown in 
Figure 2-19. 


0* Owner: 

0 Delegates: 

Figure 2-19 Pencil icon 

3. Click Change Owner, as shown in Figure 2-20 on page 40. 
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Figure 2-20 Change Owner button 

In this window, you see the Roles drop-down list. Note that you will see this 
list in any Owner or Delegates fields. This function is to provide users within 
the system with custom access to an object in the system. 


Example: You can potentially add a delegate at the business unit level and 
change that user’s role to control owner. This allows that user to have 
delegated ownership to all the controls under that business unit. 

Based on the current implementation of IBM Workplace for Business 
Controls and Reporting, this might provide unwanted side effects, such 
that one of the role permissions is the ability for an object owner to create 
child objects. In theory, you want a control owner to have the ability to 
create procedures or observation records for a control. However, the 
create child object permission is applied at the level at which the role was 
designated. In this case, if you gave a user the control owner role at the 
business unit level, you are giving this user the ability to potentially create 
additional units and processes under this organization unit. 


Important: Use extra caution when using the Roles field within IBM 
Workplace for Business Controls and Reporting. Because role 
assignments grant access rights to individuals, care must be taken to 
ensure that roles are consistent with desired authority. We recommend 
accepting the default selection that is presented to you for the object with 
which you are working. See 3.2, “IBM Workplace for Business Controls and 
Reporting access control” on page 125 for further details about roles and 
permissions. 


4. In the Search for field, type all or part of a users name and click the Search 
button, as shown in Figure 2-21 on page 41. 
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Figure 2-21 Search button 


5. Select a user from the list by selecting the corresponding radio button and 
clicking OK, as shown in Figure 2-22. 


Figure 2-22 Select a user 


6. Click OK to save. 

7. Click OK again to save the change at the object level. 

Adding or deleting a delegate 

Within the function of setting up delegates, you have the ability to add or delete 
these users from an object in the system. To add or delete a delegate, perform 
the following steps: 

1. Make sure that you are in Edit mode for the object you want to change by 
clicking the Edit button in the Details window. 

2. Click the pencil icon next to the Delegates field, as shown in Figure 2-23. 


0* Owner: wps admin 
0 Delegates: 

Figure 2-23 Owner and Delegates 
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3. Click the Add button to add a delegate to the list. Or, click the Delete icon to 
remove a user. See Figure 2-24. 



4. When adding a delegate, select whether you want to add Users or User 
Groups from the drop-down list, as shown in Figure 2-25. 



Figure 2-25 Users or User Groups 


5. Type in all or part of the user’s name or group name in the Search for field 
and click Search. 

Tip: You do not have to know the complete name. This search provides 
results even if you enter only a few characters. 

6. Select one or more users and groups from the results list. 

7. Click OK to save the user selection. 
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8. Click OK again to save the changes to the organization unit. 


The same procedures apply when dealing with ownership for process, 
subprocess, control, or procedure objects. 

2.4.3 Moving a business unit 

IBM Workplace for Business Controls and Reporting provides the ability to move 
a business unit and all of its associated documentation to a new location in the 
hierarchy, for example, if your company experiences a reorganization or has the 
need to adjust the hierarchy for logistical reasons. A few important notes on this 
function: 

► While business units are set up and maintained (name changes, owner 
changes, and so on) through the Organization tab, organization movement is 
handled though the Move button under the Documentation tab shown in 
Figure 2-26 on page 44. This is because you are not only moving the 
organization object, but also all the documentation and evaluation objects 
under it. 

► The mover must have access control to both the originating business unit 
parent and the destination business unit parent. 

► Movement is effective for the currently active version, and it must be done in 
totality; business units cannot be split into several business units. 

► Business units can be combined by creating a new parent business unit and 
placing the two or more business units that create the combination under it. 
The effect is that when you report from the new business unit, it is rolling up 
the information from the two (or more) subunits and creating a unified view of 
the two or more previously separated business units. 
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Figure 2-26 Documentation tab for a Move operation 


To move an organization unit and its dependent objects, perform the following 
steps: 

1. Go to the Documentation tab. 

2. Click the business unit you want to move in the Tree View so that its details 
are in the Detail portlet. 

3. Click the Move button, as shown in Figure 2-27 on page 45. 
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Figure 2-27 Move button 


4. In the Tree View on the left, click the business unit under which you want to 
move the business unit. 

5. Click the Place Business Unit button, as shown in Figure 2-28. 


WBCR - Documentation Detail 

7 - □ 

't~Up]te> Show Audit Trail 



the 

l> Place Business Unit Cancel Move 
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Figure 2-28 Place Business Unit button 

The business unit and any dependent objects including documentation are 
placed in the new location. 

Note: You might have to refresh your view to see the change in the Tree View. 


2.5 Creating financial statements 

Setting up financial reports in IBM Workplace for Business Controls and 
Reporting is also a part of the scoping phase of the project. Financial statements 
primarily provide companies with the ability to prioritize and scope their work to 
manage controls for financial reporting by giving them a mechanism for 
determining which controls support or provide reasonable reassurance for 
significant accounts. They can then focus on key controls that support significant 
financial accounts. After the customer has gone through evaluation and makes a 
determination that a particular control is ineffective, the customer can assess the 
impact by considering the dollar value of the significant account and the 
effectiveness and potential for mitigation of other controls over the same 
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significant account. Therefore, when a control has been tested as ineffective, we 
understand the impact of that control on our financial data. Financial reports 
include: 

► Income statement 

► Balance sheet 

► Disclosures 

It is important to note that linking financial reports to subprocesses is optional. 
Controls that do not necessarily directly impact financial statements (such as 
general IT controls) can be documented and evaluated in the system just like 
financial controls. 

Subprocesses can be linked to one or more financial reports. You can also select 
multiple line items that this subprocess can affect. For example, you can 
measure the impact of an control under the Account for Sales Transactions 
subprocess against significant line items from both the income statement and the 
balance sheet. 

You can have one set of financial reports per application or database instance. 
However, the financial documents are completely flexible and enable you to 
customize your financial records. You can potentially organize your statements 
by account type or organizational unit. 


Important tip: The captions and subcaptions are sorted by alphabetical order 
within the application. You might want to apply a numbering scheme to 
manage placement of the line items. See Figure 2-33 on page 51 for an 
example of a numbering schema. 


2.5.1 Income statement 

Here, we discuss the income statement, procedures for building it, and an 
optional method for structuring the elements. 

Figure 2-29 on page 47 is an example of an income statement. You will notice 
that it contains captions and subcaptions, and key accounts are indicated by a 
check mark in the Significant column at the subcaption level. 

The captions are the headings in bold, and the subcaptions are the line items. 
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Figure 2-29 Income statement from the Financial Reports tab 


Creating a caption 

You can create a caption by clicking the Add Caption button. You will see the 
fields shown in Figure 2-30; note that the balance fields are optional. Table 2-2 
on page 48 describes the available fields. For example, we might enter Costs and 
Expenses as the caption. 



Figure 2-30 Adding a Caption to the financial statements 
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After completing the entry, you can click OK to save that one entry, or Save and 
Add Another to quickly create several captions in a row. 

Table 2-2 Fields available when adding a caption 


Field 

Value 

Description 

Caption* 

Text 

Name of the subcaption line item 

Current Year-End Balance 
(millions) 

Text 

Usually a numerical value of the 
(projected) current year-end balance 

Prior Year-End Balance 
(millions) 

Text 

Usually a numerical value of the prior 
year-end balance 

* Required field 


Creating a subcaption 

You can create a subcaption by clicking the Add Subcaption button at the 
financial statement level. Here, you will see the fields shown in Figure 2-31 
available to fill in, as described in Table 2-3. 



To add a new Subcaptaon, complete the fields below, then did 

cOK. 


Costs and Expenses 

M 

Subcaption: 


1 

MCSonffiJ 

na). 1_J 

□ 

H | Save and Add Anothe, , |c—*] 


Significant: 


Figure 2-31 Adding a Subcaption 

Table 2-3 Fields for adding a subcaption 


Field 

Value 

Description 

Caption* 

Existing captions 

This is a drop-down list to select 
under which caption you want your 
subcaption to be placed. 

Subcaption* 

Text 

Name of the subcaption line item. 

Current Year-End Balance 
(millions)* 

Text 

Usually a numerical value of the 
(projected) current year-end 
balance. 

Prior Year-End Balance 
(millions)* 

Text 

Usually a numerical value of the prior 
year-end balance. 
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Field 

Value 

Description 

Significant 

Check box 

Select this check box if this line item 
or account is significant. 

| * Required fields | 


Financial reports can be imported as a system administration task through a 
spreadsheet or entered manually. If imported, they can be maintained through 
dynamic updates. For more information about dynamic updates, see 
“Reimporting a spreadsheet and dynamic update” on page 172. 


Important: Only subcaption line items that have been marked as Significant 
are available for linkage with subprocess, as described in “Adding a 
subprocess” on page 61. 


Organizational options for income statements 

There are three optional organization methods for income statements: 

► Alphabetical order (default) 

► Functional view 

► Organizational view 

By adding a numbering scheme, you can sort and organize your accounts, and 
because the application sorts alphabetically, adding a numbering scheme will 
help keep your income statement in an order you prefer. 

Figure 2-32 on page 50 shows an example of an income statement organized by 
a functional view 


Chapter 2. IBM Workplace for Business Controls and Reporting functional operations 


49 







Figure 2-33 on page 51 shows an example of an income statement organized by 
organizational unit and numbering set up by region. In this example, the logic 
behind the numbering is: 

North America = 1000 
Revenues = 1100 
Account #1 =1101 
Account #2 = 1102 
and so on... 

Cost of Sales = 1200 
Account# 1 = 1201 
Account #2 = 1202 
and so on... 

EMEA = 2000 

Revenues = 2100 
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Cost of Sales = 2200 
Account # 1 = 2201 
APAC = 3000 




Figure 2-33 Income statement organized by organization unit 


2 . 5.2 Balance sheet 

The balance sheet provides one additional level of categorization as compared 
to the income statement. The captions, and their subcaptions can be grouped by 
category. In Figure 2-34 on page 52, you see the category as centered, bold text. 
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The process for adding a caption or a subcaption are the same as described in 
“Creating a caption” on page 47 and “Creating a subcaption” on page 48. 
However, when you add a caption, you now have an additional field enabling you 
to select a category under which you want that caption, similar to the subcaption. 

You can add a category by clicking the Add Category button. This provides you 
with one text field to name your category. 


2.5.3 Disclosures 

Generally, any material item in the financial statements should be disclosed if the 
computation for the item is not clearly apparent. The structure of the disclosures 
report is exactly the same as the 2.5.1, “Income statement” on page 46. 
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After your financial statements and organizational structure have been defined, 
the scoping phase is complete, and you are ready to move to the documentation 
phase of the project. 


2.6 Creating documentation and the process hierarchy 

The documentation phase of the project is the most labor-intense portion of the 
project, and most companies who have had to comply with the Sarbanes-Oxley 
Act or similar legislation already have their processes and controls documented 
in various forms, with the most common format being the spreadsheet. 

In this phase, you build your process hierarchy. IBM Workplace for Business 
Controls and Reporting follows the COSO framework. Processes are identified 
that have one or more subprocesses, and then one or more objectives, one or 
more risks, and one or more controls. Finally, test procedures are associated 
with the controls that are evaluated so that controls can be rated for 
effectiveness. 

There are three ways to get documentation into the application: 

► Manual input: This is creation of the process and any of its related data 
through the interface of the application manually. The examples we follow in 
this section are shown through the manual process. 

► Spreadsheet template import: IBM Workplace for Business Controls and 
Reporting offers spreadsheet templates for customers to bring existing 
documentation into the application. Generally, the compliance project team 
will map their existing documentation into the template and make that data 
available to the system in what we refer to as a control catalog. A business 
unit owner will import process and control information from these catalogs. 
We discuss how to set up a catalog and load it into the system in greater 
detail in 3.5, “Import” on page 158. Control catalogs can also be separately 
purchased from auditing firms. 

► A back-end data import: Using this method, process documentation is loaded 
and associated with the appropriate business units by an administrator 
through an import routine. The business unit owner does not need to take any 
action in order to get the initial documentation for the business unit loaded 
into the system. For further details, refer to 3.5.2, “Data import” on page 174. 

Import overview and dynamic update introduction 

After spreadsheets are loaded into the system library as a catalog, the second 
phase of an import is for a business unit owner to go in and import the processes 
and subprocesses from the catalog in whole or in part and associate them with a 
business unit. For example, you might have created a catalog that had five 
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processes in it, and each one of those five processes had six subprocesses 
underneath it. 

You decide from a business unit level that from one catalog you want only two of 
the processes, and of those two processes, you only want four of each of the 
subprocesses, and pull just that information into your business units. As changes 
are made to that initial catalog, you then get those changes pushed back out to 
you at the business unit level. The same process can be imported multiple times 
under different business units. 

For the remainder of this section, we describe the details and fields at each level 
of the process documentation that includes: 

Process -» Subprocess -> Objective -> Risk -> Control -> Procedure 

Figure 2-35 is an example of a process hierarchy that would be developed during 
the documentation stage. This is the example we follow in the following sections. 


Documentation - Hierarchy Example 


|— Business 
' -!-► Busii 

4 


Business Unit: ParentCompanyXYZ 


Business Unit: France 


Business Process: Accounts Receivable 



Sub-Process: Account for Safes Transactions 


Objective: Al Mbng transactions are recorded in the general ledger 
correcty and comptetey 


Business Risk: Bfcig Transactions are not recorded 
completely and;or accuratey n the general ledger 


Process Controls: Bang document types are configured 
to automabcaiy gene'ate and post the correct accounting 
codes 


Evaluation Procedure: Review random sample of 


bang documents to venfy accuracy of accounting 


codes 


Figure 2-35 Documentation hierarchy example 
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2.6.1 Process 

A process is a defined category for subprocesses and their subsequent controls 
and test procedures. It is at this level that we can define ownership, certify a 
process, and mark documentation ready for evaluation. 

For this walk-through, we use the Accounts Receivable process. 

Figure 2-36 on page 56 shows the Finance business unit. You will notice in both 
the tree list and the children list that there are quite a few processes listed in this 
system today. If we were just starting the documentation process, we would not 
see any processes and we would have to populate the data manually by clicking 
the Add Process button, or import the data from a catalog by clicking the Import 
Process button. Both buttons are in the lower-right quadrant of the window. We 
walk through both options after a description of the fields available at the process 
level. 


Note: IBM Workplace for Business Controls and Reporting V2.5.1 gives you 
the capability to add attachments and URL references at the process level 
within the hierarchy. We discuss this in further detail 2.6.3, “Attachments and 
URLs” on page 64. 
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Figure 2-36 Documentation tab example 


Figure 2-37 on page 57 shows the fields for a process if we create a new process 
object or edit an existing one. 
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Figure 2-37 Fields to fill in when creating a process 

Table 2-4 provides a list and description of each of the fields available at the 
process level. 


Table 2-4 Field values for processes 


Field 

Value 

Description 

Process* 

Text 

This is the name of the process. 

Description 

Text 

A text field for a description of the process. 

Rating* 

► None 

► Satisfactory 

► Marginally Acceptable 

► Unsatisfactory 

This is the rating for the process. In general, 
Satisfactory means little to no risk, Marginally 
Acceptable means moderate risk, and 
Unsatisfactory means high risk. These values can 
be customized for your business usage. 

Outline 

Text 

A text field to enable you to apply an outline 
structure to your processes. 

Owner* 

User name 

A selection box in which to designate who has 
ownership of the process. There can only be one 
owner of a process. 

Delegates 

User or group names 

Where you can choose one or more users who 
need delegated access to the process. These 
users have the same default access as the owner. 
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Field 

Value 

Description 

Documentation 

Complete 

► Yes 

► No 

This field is the trigger to indicate whether controls 
are ready for the evaluation phase and when 
reporting for that process will begin. When you are 
building your documentation, this is usually set to 
No. When the documentation cycle for a process 
is complete and ready for evaluation, this is set to 
Yes. 

* These fields are required in order to create a process. 


Adding a process 

This activity is fairly straightforward. To add a process, perform the following 
steps: 

1. Go to the Documentation tab. 

2. Select and click the business unit under which you want to add the process. 

3. Go to the Processes tab in the lower-right quadrant, as shown in Figure 2-38. 



Figure 2-38 Example of Business Units and Processes tabs 


4. Click the Add Process button. 

5. Fill in the fields, as described in Table 2-4 on page 57. 

6. Click OK. 


Importing a process 

In order to be able to import a process under a business unit, you need to make 
sure that the documentation has been loaded into the system as a catalog in 
advance. For more information about this process, see 3.5.1, “Catalog import” on 
page 160. To import a process, perform the following steps: 

1. Go to the Documentation tab. 

2. Select and click the business unit under which you want to add the process. 

3. Go to the Processes tab in the lower-right quadrant, as shown in Figure 2-39 
on page 59. 
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Figure 2-39 Example of Business Units and Processes tabs 


4. Click the Import Process button. You will see a list of available catalogs from 
which to chose processes. Use the paging buttons or type in the page 
number and click Go to navigate if the list of catalogs is longer than a single 
page. See Figure 2-40. 



5. Click the catalog where your process is stored. In this example, we select 
Oracle (Accounts Payable). This provides you with a list of all the processes 
available in that catalog for importing. 

6. Select the process you want to import. We select Process Accounts 
Payable in this example. This selection then provides you with a list of the 
subprocesses available for importing. Figure 2-41 shows the Process list. 


LsssaJ 

Figure 2-41 Process list 

7. Select the check box next to one or more subprocesses that you want to 
import, as shown in Figure 2-42 on page 60. 
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Figure 2-42 Subprocess selection 


8. Click OK and the application imports the process/subprocesses and 
associated documentation under the business unit you chose. 

2.6.2 Subprocess 

Subprocesses are the child objects of a process. A subprocess is a key object 
within the documentation phase. In addition: 

► There can be many subprocess within a single processes. 

► The subprocess is where you optionally link to your financial line items. 

► The subprocess is where you have the capability to attach documentation or 
reference existing documentation through a URL within the tool. 

Figure 2-43 shows the fields available for a subprocess. 



Figure 2-43 Fields to fill in when creating a subprocess 
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Table 2-5 describes each of the fields available at the subprocess level within the 
application. 


Table 2-5 Field descriptions for the subprocess 


Field 

Value 

Description 

Subprocess* 

Text 

This is the name of the subprocess. 

Description 

Text 

A text field for a description of the 
subprocess. 

Rating* 

► None 

► Satisfactory 

► Marginally Acceptable 

► Unsatisfactory 

This is the rating for the subprocess. In 
general, Satisfactory means little to no risk, 
Marginally Acceptable means moderate risk, 
and Unsatisfactory means high risk. These 
values can be customized for your business 
usage. 

Owner* 

User name 

A selection box that designates who has 
ownership of the subprocess. There can only 
be one owner of a subprocess. 

Delegates 

User or group names 

Where to choose one or more users who 
need delegated access to the subprocess. 
These users have the same default access 
as the owner. 

Outline 

Text 

A text field to enable you to apply an outline 
structure to your subprocesses. 

Select Statement 

► None 

► Income Statement 

► Balance Sheet 

► Disclosures 

This selection enables you to understand the 
impact on the company’s finances when you 
have an ineffective control. When you make a 
selection from this drop-down list, the 
significant line items from the financial 
statement appear and you can select one or 
more line items from one or more financial 
statements to be associated with this 
subprocess. 

Note: You might not see the actual numbers. 
The administrator can hide those values 
through the global settings. 

* These fields are required in order to create a subprocess. | 


Adding a subprocess 

To add a subprocess, perform the following steps: 
1. Go to the Documentation tab. 
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2. Select and click the process under which you want to add the subprocess. In 
this example, we chose Accounts Receivable. 

3. Click the Add Subprocess button in the lower-right quadrant, as shown in 
Figure 2-44. 


WBCR - Documentation Detail ? . □ 
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Figure 2-44 Process with Subprocesses 

4. Fill in the fields as described in Table 2-5 on page 61. 

5. Click OK. 

Importing a subprocess 

When you import a subprocess, you can place this subprocess under any 
process you like. As you will see in the following scenario, you will select a 
process to locate the subprocess that you want to include in the system, but 
when you import it, that subprocess can be placed under any process you want. 

For example, if components of the Accounts Payable application have been 
developed in-house, certain general IT controls around application access 
control might apply to this process. You can import a subprocess for Access 
Control, defined in a catalog under process Manage Information Technology. In 
this case, you import that subprocess under Accounts Payable. To import a 
subprocess, perform the following steps: 

1. Go to the Documentation tab. 

2. Select and click the process (for example, Accounts Payable) under which 
you want to add the subprocess. 
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3. Click the Import Subprocess button. You will see a list of available catalogs 
available from which to choose processes, as shown in Figure 2-45. 



Figure 2-45 Control Catalog selection 


4. Click the catalog where your process is stored. In this example, we again 
select the Oracle (Accounts Payable) catalog. This provides you with a list 
of all the processes available. 

5. Select the process in which your subprocess exists. We select Manage 
Information Technology in this example. This selection then provides you 
with a list of the subprocesses available for importing, as shown in 
Figure 2-46. 



Figure 2-46 Process list 

6. Select the check box next to the one or more subprocesses you want to 
import, as shown in Figure 2-47. 


Figure 2-47 Subprocess selection 


7. Click OK and the application imports the subprocess and associated 
documentation under the process you chose in this exercise. 
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2.6.3 Attachments and URLs 


As mentioned earlier, you have the ability to add attachments or reference URLs 
at the subprocess and the test procedure levels of the hierarchy. This is useful if 
you want to reference things such as process documentation or workflow 
diagrams within the tool. If your company wants the documents to be contained 
within and managed by IBM Workplace for Business Controls and Reporting, you 
can deposit the documents directly into the application. If your company uses an 
existing document management solution or Web site to manage these types of 
documents, you can simply reference the document’s location through a URL. 

At this point, it is assumed that the documentation you will be adding to the 
system has gone through a creation and review cycle and is in a complete status. 
IBM offers several solutions to assist with the management of document creation 
that have basic document management capabilities, such as check in/check out, 
versioning, and workflow capabilities. IBM offers the following solutions: 

► IBM Lotus QuickPlace® 

► IBM DB2 Content Manager 

► IBM Lotus Domino Document Manager 

Or, leverage your own document management application and point to it through 
a URL. 

Adding an attachment 

This process is exactly the same at the subprocess or procedure level. To add an 
attachment, perform the following steps: 

1. Choose the subprocess or procedure where you want to attach your 
document. 

2. Go to the Attached files and URLs tab in the lower-right quadrant, as shown in 
Figure 2-48. 
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Figure 2-48 Attached files and URLs tab 


3. Click the Add Attachment button. 
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4. Fill in the Title field, as shown in Figure 2-49. This appears in the Title column, 
as shown in Figure 2-48 on page 64. 
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Figure 2-49 Fields to fill in when creating an attachment 
5. To attach a file: 


a. Click Browse. 

b. Select the file you want to add and click OK. 

6. To reference a URL: 

a. Enter the URL (for example, http://itsointranet.com) to which you want 
to link. 

b. Click OK. 

7. Click OK again. 

You will now see your attachment or URL in the list. 

Enhancements in Version 2.5.1 for attachments and URLs 

In IBM Workplace for Business Controls and Reporting V2.5.1, you now have the 
ability to designate whether it is a file or a URL with a radio button selection. See 
Figure 2-50 on page 66. 
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Figure 2-50 Version 2.5.1 attachment options 

In addition, with Version 2.5.1, you can attach documentation at the process level 
and at the subprocess and procedure levels. 


Note: When a user retrieves an attachment, the file can be downloaded and 
saved or opened with a source application or viewer that must be installed on 
the user’s workstation. If the user clicks a URL, a new window opens to that 
particular Web page. 


2.6.4 Objectives 

Underneath the subprocess are the objectives. The following list describes 
objectives: 

► The objective is the desired status for the subprocess under which it resides. 

► One subprocess can have one or more objectives defined. 

► Underneath each objective, you will see the list of all the risks identified for 
that subprocess. We create an association to one or more risks we have for 
that objective. 

Figure 2-51 on page 67 shows the Objective Association column with optional 
check marks. This enables you to choose which risks you want to associate 
with the objective. The risk/objective association is an n:n relationship, 
meaning a risk can be associated with multiple objectives. 
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Figure 2-51 Overview of an objective 

The objective has three fields and an action for association, as described in 
Table 2-6. 


Table 2-6 Field descriptions for the objective 


Field 

Value 

Description 

Objective* 

Text 

This is the objective name. 

Description 

Test 

An optional field to input a description of 
the objective. 

Outline 

Text 

A text field to enable you to apply an 
outline structure to your objectives. 

Objective 

Association 

Check box 

This is an option in the children portlet 
when you are looking at an objective in the 
Detail view. This is where you can 
associate one or more risks to this specific 
objective so that the risks of not having an 
effective control in place are defined. 

* This field is required in order to create an objective. 


Adding or importing an objective 

You can manually add objectives into the system. Perform the following steps: 

1. Go to the Documentation tab. 

2. Select the subprocess under which you want the new objective. 
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3. Click the Add Objective button. 

4. Fill in the fields as described in Table 2-6 on page 67. 

5. Click OK to save your new objective. 

After you have created risks underneath your objective, you can select an 
objective from the tree and observe the risks in the children portlet. Here, you 
select the check box next to a risk to associate one or more risks with that 
objective. 

If you have imported a process or a subprocess in previous steps, the objectives 
will automatically show up at this level. It is important to note that when you 
import from a catalog, the risk/objective association might have already been 
defined. 

A user who has access to the objective in the evaluation stage by default will see 
all the risks whether they have been associated or not. “Hiding non-associated 
risks” on page 142, describes how an administrator can limit this list to show only 
those risks that have been associated with a specific objective. 


2.6.5 Risks 


A risk is displayed as a child object to the objective. However, unlike other 
objects that generally have a one-to-many relationship, risks can have a 
many-to-many relationship with objectives. The following list further describes 
risks: 

► Risk can be shared between objectives. 

► Under each risk, you will see controls in place to mitigate that risk. 

In Figure 2-52 on page 69, the first and second controls are native to this risk, 
and in this example, the first control is also marked as a key control that is 
ready for evaluation. The third control is a shared control. Shared controls are 
native to a different risk and can be associated with any other risk in the 
application. We discuss shared controls in greater detail in 2.6.7, “Shared 
controls” on page 77. 
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Table 2-7 contains the fields and options available for a risk. 


Table 2-7 Options available for a risk 


Field 

Value 

Description 

Risk* 

Text 

This is the name of the risk. 

Description 

Text 

An optional field to input a description of the risk. 

Rating* 

► None 

► High 

► Medium 

► Low 

This is the risk rating you want to apply to the risk. 

Outline 

Text 

A text field to enable you to apply an outline structure 
to your risks. 

For Evaluation 

Check box 

This is an option in the children portlet when you are 
looking at a risk in the Detail window. This is where 
you can designate whether controls are key controls 
that are ready for evaluation. 

Note: This functionality has been enhanced in 

V2.5.1; see “Enhancement in Version 2.5.1 for risks” 
on page 70 for details. 

* These fields are required in order to create a risk. 
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Adding a risk 

You can manually add a risk into the system by perform the following procedure. 
If you imported a process or a subprocess in the previous steps, the risks might 
already be predefined. There is not a separate import capability at this level. 
Perform the following steps: 

1. Go to the Documentation tab. 

2. Select the objective under which you want the new risk to be placed. 

3. Click the Add Risk button. 

4. Fill in the fields described in Table 2-7 on page 69. 

5. Click OK to save your new risk. 

If you imported a process or a subprocess in previous steps, the risks will 
automatically show up at this level. You have to signify whether a control is For 
Evaluation manually. 

Enhancement in Version 2.5.1 for risks 

In Version 2.5.1, the ability to manage the evaluation of key and mitigating 
controls has been made more straightforward and more accessible to the 
Workplace for Business Controls and Reporting application administrators. 

In prior versions of Workplace for Business Controls and Reporting, there was 
only one designation for key and mitigating controls, the “For Evaluation” check 
box that appeared next to the control in the risk object window. In Version 2.5.1, 
it is possible to designate a control as both For Evaluation and Key Control (All 
Controls), Only For Evaluation Controls, or Only Key Controls. The designation 
of For Evaluation is made from the control object window, and the designation of 
Key Control is made from the risk object window. The combination of the For 
Evaluation and Key Control settings and global settings govern Workplace for 
Business Controls and Reporting behavior regarding which controls appear on 
the Evaluation tab. 

As noted previously, to have only key controls appear in the Evaluation tab, a 
WebSphere Portal setting from the command line was required. In V2.5.1, this 
setting has been made a global setting that is accessible from the Settings tab, 
as displayed in Figure 2-53 on page 71. 
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To designate which controls appear on the Evaluation tab, the Workplace for 
Business Controls and Reporting Application administrator selects the 
appropriate value for the “On the Evaluation tab, display” field. Available options 
are “All Controls,” “Only Key Controls,” or “Only For Evaluation Controls.” Note 
that if Only For Evaluation Controls is selected, the Show Control For Evaluation 
field must be set to Yes; otherwise, it will not be possible to designate a control or 
Evaluation from the user interface. The behavior of Workplace for Business 
Controls and Reporting based on the selection made is summarized as follows: 

► All Controls: When All Controls is selected, all controls will appear in the 
Evaluation tab regardless of the Key Control or For Evaluation settings on the 
control object. In this scenario, the Key Control and For Evaluation settings on 
the control object do not define any application behavior and are significant 
for reporting purposes only. 

► Only Key Controls: When Only Key Controls is selected, only controls that 
have Key Controls selected on the risk object window appear on the 
Evaluation tab. Controls that are indicated as For Evaluation do not define 
any application behavior and will be ignored. In this scenario, only the Key 
Control field governs Workplace for Business Controls and Reporting 
behavior. 
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► Only For Evaluation Controls: When Only For Evaluation Controls is selected, 
only controls that have For Evaluation selected on the control object window 
will be selected for evaluation. Controls that are indicated as Key Controls do 
not define any application behavior and will be ignored. In this scenario, only 
the For Evaluation field governs Workplace for Business Controls and 
Reporting behavior. 

We recommend the settings shown in Table 2-8 and Table 2-9 assuming that the 
overall expected behavior has key and mitigating controls appear on the 
Evaluation tab. 


Table 2-8 Global settings 


Field location 

Field name 

Field setting 

Settings ->• Global Settings 

On the Evaluation Tab Display 

Only For Evaluation 
Controls 

Settings Global Settings 

Show Control Evaluation Field 

Yes 


Table 2-9 Control settings 


Control type 

Field name 

Field setting 

Key Control 

Key Control (Risk Object) 

Yes 

Key Control 

For Evaluation (Control 

Object) 

Yes 

Mitigating Control 

Key Control (Risk Object) 

No 

Mitigating Control 

For Evaluation (Control 

Object) 

Yes 


Figure 2-54 on page 73 shows an example of the updates to risks in Version 
2.5.1. 
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Figure 2-54 Example of updates to risks in V2.5.1 


2.6.6 Controls 

Controls are in place to manage the risk to which they are related. A control is a 
child object of a risk. There can be one or more controls for each risk. The 
exception is shared controls, which have a many-to-many relationship with risks. 
Figure 2-55 on page 74 shows the controls overview. 
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Figure 2-55 Control overview 


Controls have the data fields shown in Table 2-10. 


Table 2-10 Fields available for controls 


Field 

Value 

Description 

Name* 

Text 

This is the control name. 

Description 

Text 

An optional field to input a description of the 
control. 

Shared 

Check box 

Selecting this check box marks this control as 
a shared control and allows this control to be 
associated with risks in other processes 
throughout the organization. 

Rating* 

► None 

► High 

► Medium 

► Low 

This is the rating you want to apply to the 
control. 
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Field 

Value 

Description 

Component* 

► Control Activities 

► Control Environment 

► Information/ 
Communication 

► Monitoring 

► None 

► Risk Assessment 

These are the COSO components that can be 
associated with a control. This information is 
used to drive the COSO Heat Map report. 

Type* 

► Authorization 

► Exception/edit report 

► Interface/Conversion 

► Key Performance 
Indication 

► Management Review 

► None 

► Reconciliation 

► Segregation of Duties 

► System Access 

► System Configuration 

This information is used for categorization of a 
control for reporting purposes. 

Control Execution* 

► Manual 

► Automated 

This enables you to chose the way the control 
is executed. 

Control Execution 
Description 

Text 

This is only available if Control Execution is set 
to Automated. This field is generally 
populated with window IDs, job names, system 
names, and so on. 

Control Execution 
Frequency* 

► Daily 

► Monthly 

► Multiple Times Daily 

► Quarterly 

► Semi-annually 

► Weekly 

► Yearly 

Control execution frequency is how often the 
control is executed or used. 

For example, a three-way match control is 
likely used multiple times daily. 

This field is used for informational purposes 
only. 

Owner* 

User name 

A selection box that designates who has 
ownership of the control. There can only be 
one owner of a control. 

Delegates 

User or group names 

A place to chose one or more users who need 
delegated access to the control. These users 
have the same default access as the owner. 
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Field 

Value 

Description 

Assertions 

► Completeness 

► Existence 

► Presentation 

► Valuation 

► Ownership 

► Accuracy 

You can select one or more assertions. These 
are financial statement assertions that are 
based on COSO and audit standards. 

Outline 

Text 

A text field to enable you to apply an outline 
structure to your controls. 

* These fields are required in order to create a control. 


Figure 2-56 shows an example of a control in add or edit mode. 



Figure 2-56 A control in add or edit mode 
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2.6.7 Shared controls 

To understand shared controls, it is important to distinguish them from common 
controls. A common control is a control that can exist in multiple locations, but 
because it is executed manually, each occurrence is considered to be unique for 
testing purposes. 

Typically, a shared control is considered to be an infrastructure type of control 
and will likely be automated. Shared controls give you the ability to document, 
test, and evaluate a control once, but reference it in multiple processes or 
business units. 


Example: IT access controls are going to impact multiple systems. The 
controls will either test to be effective or ineffective, but they are going to be 
tested only once within IT. As long as those controls are working, they are 
going to be assumed to be working throughout all of those applications and all 
of those processes. 

If you had a risk in each one of your processes that outlined that unauthorized 
personnel could gain access to your system, you might want to reference the 
shared IT access control and use it in each one of those processes exposed 
to that risk. 

When it was tested from an IT standpoint, all of the documentation and results 
will be inherited everywhere it is shared. Therefore, if it was deemed effective 
and it was tested once, everybody that was using it would get an effective 
control, and vice versa: If it was ineffective, everybody would get an ineffective 
control. 


Shared controls reduce the testing effort by reducing the total number of controls 
that must be tested. Without shared control capabilities, redundant controls must 
be tested on each occurrence. 

Adding a control 

You can manually add a control into the system by performing the following 
procedure. If you imported a process or a subprocess in the previous steps, the 
controls will automatically be listed here. There is not a separate import capability 
at this level. To add a control, perform the following steps: 

1. Go to the Documentation tab. 

2. Select the risk under which you want the new control to be placed. 

3. Click the Add Control button. 

4. Fill in the fields displayed in Figure 2-56 on page 76 and described in 
Table 2-10 on page 74. 
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5. Click OK to save your new control. 

Referencing a shared control 

To reference a shared control, perform the following steps: 

1. Go to the Documentation tab. 

2. Select the risk under which you want the shared control to be placed. 

3. Click the Associate Shared Control button, as shown in Figure 2-57. This 
shows the list of controls that have been declared as shared controls. 


Controls for Current Risk 



Figure 2-57 Associate Shared Control button 


4. Select from the list the controls you want to associate by selecting the 
appropriate check box, as shown in Figure 2-58. 



Figure 2-58 List of shared controls from which to choose 
5. Click Done to save the association. 
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Note: The shared control can only be edited, tested, and evaluated by the 
owner and delegates defined for that control. 


Enhancements in Version 2.5.1 for controls 

Version 2.5.1 contains a few more options at the control level to stay current with 
the COSO recommendations as well as provide better functionality to users. 

Figure 2-59 and Table 2-11 on page 80 highlight the changes. 
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Table 2-11 New fields available in V2.5.1 


Field 

Value 

Description 

For Evaluation 

Check box 

This determines whether the control is to be 
evaluated or not. 

Fraud 

► No 

► Yes 

► None 

Used to indicate if a control is designed to prevent or 
detect fraudulent activities. 

Control Intention* 

► Detective 

► Preventative 

► None 

Detective controls are designed to detect and notify 
you when there are errors and irregularities that 
have occurred so that you can assure their prompt 
correction. 

Preventative controls are designed to keep errors or 
irregularities from occurring in the first place. 

* This is a required field. | 


The administrator has the ability to hide these new fields until the organization 
decides to use them. See “Additional global settings in IBM Workplace for 
Business Controls and Reporting V2.5.1” on page 145 for more information. 


2.6.8 Procedures 

The last object in the documentation phase is the procedure, more commonly 
referred to as a test procedure. Procedures represent the testing steps that are 
used to evaluate the effectiveness of controls. They should not be confused with 
the business process procedures that represent how the process is executed. 

Procedures are child objects of controls, and there is a one-to-many relationship 
between controls and procedures. 

The form structure in IBM Workplace for Business Controls and Reporting is 
capable of supporting multiple types of procedures. Some of the more common 
procedure types include: 

► Sampling 

► Walk-through or Observation 

► Inquiry 

► Inspection of reports or other documentation 

Information regarding the procedure can be recorded in the description field (up 
to 2560 characters, approximately three-fourths of a 8.5X11 page) or as file or 
URL attachments. 
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Procedures are unique in IBM Workplace for Business Controls and Reporting 
objects; generally, objects can only be created and edited in one tab. However, 
procedures can be created or edited in both the Documentation and the 
Evaluation tabs. 

Finally, as mentioned in 2.1, “Software methodology overview” on page 12, this is 
the other object within the application where you can add attachments or point to 
URLs. We describe how to do this in 2.6.3, “Attachments and URLs” on page 64 
for your reference. Figure 2-60 shows an overview of a procedure. 



Table 2-12 provides the field descriptions for a procedure. 


Table 2-12 Field descriptions for a procedure 


Field 

Value 

Description 

Procedure* 

Text 

This field is where you name the procedure. 

Description 

Text 

An optional field to input a description of the 
procedure. 

Owner* 

User name 

A selection box that designates who has 
ownership of the procedure. There can only 
be one owner of a procedure. 

Delegates 

User or group names 

You can chose one or more users who need 
delegated access to the procedure. These 
users have the same default access as the 

owner. 
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Field 

Value 

Description 

Sample Size 

Numeric 

If the procedure is based on sampling, a 
numeric value signifying the amount of 
testing instances you need to complete for 
that procedure. 

Outline 

Text 

A text field to enable you to apply an outline 
structure to your procedures. 

* These fields are required in order to create a procedure. 


Adding a procedure 

You can manually add a procedure into the system by performing the following 
steps. If you imported a process or a subprocess in the previous steps, the 
procedures have been predefined. New procedures, however, can be added 
either during documentation or evaluation. To add a procedure, perform the 
following steps: 

1. Go to the Documentation tab. 

2. Select the control under which you want the new procedure to be placed. 

3. Click the Add Procedure button. 

4. Fill in the fields described in Table 2-12 on page 81. 

5. Click OK to save your new procedure. 

Figure 2-61 shows the procedure fields. 



Figure 2-61 Fields to fill in when you create a procedure 
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After the documentation for an entire process is complete, we can now go back 
to the process and set the Documentation Complete field from No to Yes. This 
means that we are ready for the Evaluation phase. 


2.7 Evaluating the test procedure and controls 

When the documentation is complete (this might or might not be enforced 
depending on the global settings), users can enter the evaluation phase of the 
internal control process. This is optionally enforced by the portlets based on an 
administrative setting to prevent a user from performing evaluation on objects 
without the documentation complete. 

Evaluation operates on controls, procedures, and test instances of procedures 
(test instances are referred to as “samples” within IBM Workplace for Business 
Controls and Reporting). A control has four different evaluation stages with an 
optional fifth: 

1. Execution of test instances of a procedure: Within Workplace for Business 
Controls and Reporting, test instances are referred to as samples. However, 
a test instance can represent multiple procedure or test types. Some of the 
more common types are samples, walk-through, and interview. When the test 
instance is completed, the results are entered in Workplace for Business 
Controls and Reporting as a “sample” that is a child object of a procedure. A 
procedure can have one or more samples. The results are entered as either 
“Passed” or “Failed.” If a test instance (sample) is recorded as failed, a 
workflow is initiated that will direct the user to either invalidate the sample if 
the sample is erroneous, or create a remediation plan that will record the root 
cause of the failure, the remediation plan to correct the root cause, and a 
“remediation date” that will indicate when the remediation plan is expected to 
be complete and a retest is appropriate. Valid values for a sample are invalid, 
passed, failed, and remediated. 

2. Evaluation of a procedure: Consistent with the “control evaluation frequency,” 
the procedure must be evaluated. Note that the procedure evaluation 
frequency can be more frequent than the control evaluation frequency, but 
cannot be more; for example, a control that is evaluated annually can be 
evaluated based on procedures that are evaluated quarterly. The procedure 
evaluation needs to indicate that the procedure supports one of three 
conclusions: 

- The procedure supports a conclusion that the control is effective. 

- The procedure supports a conclusion that the control is ineffective. 

- The procedure in inconclusive. 
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3. Control evaluation: When the user opens a control object in the evaluation 
phase, the control data attributes are displayed along with the procedure 
results. The procedure results include the procedure name, procedure owner, 
procedure evaluation date, and procedure conclusion. The control evaluator 
can evaluate the control based on the summary procedure information or can 
“drill down” into a procedure if they want more detailed information about a 
procedure. The control is rated as effective or ineffective. The control 
evaluation frequency, next evaluation date, and the rationale for the next 
evaluation date are set. 

4. Control observation: The control observer (can be from the business unit or 
internal audit based on the maturity of the organization) makes the 
determination of the overall impact of a control that is rated ineffective in 
control evaluation. In control observation, the control observer rates the 
impact of a control as N/A, Deficiency, Significant Deficiency, or Material 
Weakness (note that currently Workplace for Business Controls and 
Reporting incorrectly refers to a material Weakness as a “Material 
Deficiency”). N/A is applicable for effective controls where the observer wants 
to record observations such as a recommendation for automation or an 
ineffective control that is appropriately mitigated. The control observation also 
includes text fields to record, Deficiency, Implication, Mitigation, and 
Recommendation, and whether or not the control is mitigated. Information 
recorded on the control observation is reported in the Observations and 
Recommendations report. 

5. Auditor observation: The Auditor Observation window is identical to the 
Control Observation window; it is intended to provide a place for internal 
auditors to record observations. There is no standard reporting of information 
entered in the Auditor Observation window. 

A few important notes about evaluations: 

► Additional procedures can be added to the control during this stage. 

► Evaluation contents can be edited. 

► All of the evaluation fields set up during the documentation stage can be 
edited. 

Attachments created during the documentation stage are available during 
evaluation. Additional attachments can be added during the evaluation stage. 
Attachments created during the documentation stage are usually related to how 
the evaluation should be performed, and attachments made during the 
evaluation stage are related to the performance of a specific evaluation, for 
example: 

► Interview or observation notes 

► Sample worksheet 
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The key hierarchy to keep in mind is that controls are evaluated using 
procedures (testing procedures) and specific executions of a testing procedure 
are represented by samples. 


Tip: Remediation planning functionality for a sample evaluation can be used 
regardless of the evaluation type. 


Figure 2-62 shows that the Evaluation tab has the same layout as the other tabs 
in which we have been working up to this point. Who you are will determine what 
you are able to see within the application. Users will more than likely use the My 
Procedures or My Controls list from the portlet to pull up the relevant objects they 
need in order to do their evaluations. 



Evaluation steps overview 

There are several levels of evaluation available within the application. You have 
the option of using whatever evaluations you deem necessary to support your 
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process. In support of the bottom-up approach, we describe the following 
available evaluation options: 

► Sampling and remediation 

► Test procedure evaluation 

► Control evaluation 


2.7.1 Sampling 

Specific executions of a testing procedure are represented by samples. Samples 
are a great place to record specific testing executions of the testing instances 
(referred to as samples in IBM Workplace for Business Controls and Reporting). 
Users record the results of the testing instances and record if these passed or 
failed. Users can also create remediation and gap plans at this level if a test 
failed. Perform the following steps: 

1. Log in to IBM Workplace for Business Controls and Reporting and go to the 
Evaluation tab. 

2. Select My Procedures from the My Lists portlet. 

3. From that set of results, select the procedure on which you want to execute 
and record the results of your test. In this example, we choose Cross 
reference and check entries. 

4. Go to the Samples tab in the children portlet and you will note immediately if 
samples have been executed in the past, what the status was, who did it, and 
what is the remediation was. Figure 2-63 shows an example. 





Figure 2-63 Sample tabs with history and status of past sample executions 

5. Click the Add Sample button and fill in the fields shown in Table 2-13 on 
page 87 to record a testing instance. 
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Table 2-13 Fields available from the Add Sample function 


Field 

Value 

Description 

Sample* 

Text 

Name of the sample. 

Description* 

Text 

This is a text field where you can describe the sample. 

Comment 

Text 

Another text field where you can store additional 
comments regarding the test. 

Test Association 

Date* 

Date 

This field references the date of the data set you used for 
your testing. For example, if we execute testing on July 15 
for June 30 data, this is where you would specify June 30 
as the date. 

Status* 

► Passed 

► Failed 

This is where you indicate whether the testing passed or 
failed. 

* These fields are required in order to create a sample. 


For this example, let us say that the testing failed and we selected that status 
on our sample evaluation. If we look at the view, we see the most recent 
status of the evaluation and determine whether we are ready for remediating 
the sample, as shown in Figure 2-64. 



The user typically has some work to do when a test fails and possibly needs 
to do some work outside of the system. After that work is complete, the user 
logs in to the system and selects the sample to begin a remediation plan. 
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6. Select the sample, in this case, June Sample Evaluation. 

Note that there are three actions from which a user can select: 

► Up: Takes the user to the procedure detail. 

► Invalidate: We can invalidate the evaluation that we executed. If you select 
this option, you can add some comments, and this will be noted in the view 
shown in Figure 2-64 on page 87. 

► Remediation Plan: Create a remediation plan for the failed evaluation. For 
this example, we select this option. 

2.7.2 Remediation 

When a sample is marked as failed, a remediation workflow is initiated. In the 
remediation workflow, the procedure evaluator is first given the option of 
invalidating the sample or beginning a remediation plan. 

If the sample is invalidated, the procedure evaluator name and the date and time 
are stamped on the sample and the status is recorded as invalidated. 

If the procedure evaluator decides to initiate a remediation plan, the evaluator 
clicks the Remediation Plan button shown in Figure 2-64 on page 87. This 
displays the remediation plan window shown in Figure 2-65 on page 89. The 
procedure evaluator records the Root Cause or issue, Remediation Plan, and the 
Remediation Date. These are all required fields. 

At this point, the Ready for Remediation field will generally be left at No. The 
exception to this will be a situation where the solution is straightforward and can 
be implemented immediately. In most cases, remediation will take some time 
and will be delayed over a period of weeks or even months. 

After the remediation plan is completed the status of the Ready for Remediation 
is changed to Yes. This indicates that the remediation is complete and the 
procedure is ready for retesting. After the status is changed, a new button, 
“Remediate,” appears, as shown in Figure 2-66 on page 90. 

When you click the Remediate button, a window opens to allow the procedure 
evaluator to record the retest results. The retest window looks like the original 
sample window where the original test results were recorded. However, the 
retest window will contain a reference to the original test. After the retest results 
are recorded, the sample is updated. Assuming that the retest is recorded as 
Passed, the status of the original sample will be updated from Failed to 
Remediated. 
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Valid values for sample test results are Passed, Failed, Invalidated, and 
Remediated. 

To initiate a remediation plan, perform the following steps: 

1. Click the Remediation Plan button. Fill out the form, and click OK when you 
are done. Figure 2-65 shows the form. 



Figure 2-65 Remediation plan 

Table 2-14 provides descriptions of the fields. 
Table 2-14 Field descriptions for a remediation plan 


Field 

Value 

Description 

Root Cause* 

Text 

A place to document the root cause of the failure. 

Remediation Plan* 

Text 

A field to document the plan in place to remediate the 
failure. 

Remediation Date* 

Date 

Date when this sample was remediated. 

Ready for 

Remediation 

► No 

► Yes 

Whether or not the sample is ready for remediation. 
Selecting No enables us to continue work on the 
remediation plan. After the issue is remediated, selecting 
Yes saves the field values and displays the Remediate 
button. 

* These fields are required in order to create a remediation plan. 
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All this data we filled out and saved is captured on the sample evaluation 
detail. Figure 2-66 shows an example. 



Figure 2-66 Remediation plan documented on the sample 

2. Click the Remediate button, as shown in Figure 2-66, and to fill out the fields 
to test a new set of sampling data. See Figure 2-67 on page 91. 

Remediation enables us to record the test with the remediated sample. You 
will notice that this window provides the same fields as the Add Sample 
button. 
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3. This time when we ran the test, it passed and the sample has now been 
remediated and passed. This is noted at the procedure level with details 
about the status, who did it, and when, as shown in Figure 2-68. 



Chapter 2. IBM Workplace for Business Controls and Reporting functional operations 91 





















After the testing has been executed and the samples have been remediated, the 
next step in the process is to evaluate the procedures. 

2.7.3 Procedure evaluation 

The next step in the evaluation process is to have the procedure owners 
evaluate test procedures. The procedure owner’s responsibility is to run the test 
and report in the tool the results from that test. Perform the following steps: 

1. Log in to IBM Workplace for Business Controls and Reporting and go to the 
Evaluation tab. 

2. Select My Procedures from the My Lists portlet. 

In the results of the My List portlet, you will notice that it lists (see Figure 2-69 
on page 93): 

- Procedure name 

- Owner of the procedure 

- Last test date 

- Comments that were made on the last evaluation 
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Figure 2-69 List of procedures on the Evaluation tab 

3. Select the Procedure you want to evaluate. In this example, we select Cross 
reference and check entries from the list. The details and actions available 
for us to execute are now displayed in the Detail window. See Figure 2-70 on 
page 94. 
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Figure 2-70 Procedure Detail 

4. At this point, you can read any reference material attached to the procedure 
on the Attached files and URLs tab and review and verify the testing results 
on the Samples tab. 

5. You can now click the Evaluate button and fill in the comments field with data 
related to the test results and click OK, as shown in Figure 2-71. 



You will notice in Figure 2-72 on page 95 that in the My List portlet the Last Test 
Date and Comment columns are updated based on the evaluation we just 
completed. In addition, the Comment and the Actual Evaluation Date is now 
listed in the Detail window for that procedure. 

Note: You might have to refresh your view to see the updated information. 
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Figure 2-72 The status of evaluations on test procedures 


2.7.4 Control evaluation 

After all your procedures have been evaluated, the control owner is now ready to 
make a judgement about a control’s overall effectiveness. 

A full list of all procedures for the control is displayed to provide the control 
evaluator the full information to make a judgment regarding the control 
effectiveness, as shown in Figure 2-73 on page 96. 
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Figure 2-73 Control ready for evaluation 


Perform the following steps: 

1. Log in as a control owner. In this case, Bernie Bee pulls up the controls for 

which he is responsible, and the test procedures are listed below with their 

status. 

In Figure 2-73, notice all the actions the control owner has available at this 

level: 

- Up: Clicking this button brings us to the risk. 

- Certify Control: After the procedures have been evaluated, the control can 
be certified using this button. 

- Show Audit Trail: This shows a full audit trail for this control. 

- Control Evaluation: This is where we determine whether a control has 
been deemed effective or not. 

- Control Observation: You can make observations and recommendations 
about a control here. 

- Auditor Observation: The same form as a control observation, but it is 
generally used by auditors. 
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For example, an auditor might have read access to the entire system and 
this is the only place they can record information in the system. 


Note: It is important to note that there is separate access control 
capabilities for each of the following items: Certify Control, Control 
Evaluation, Controls Observation, and Auditor Observation. 

This enables you to give the appropriate people within your organization 
appropriate access to each of these functions individually. 


2. Click Control Evaluation to open a form, as shown in Figure 2-74, where the 
information listed in Table 2-15 on page 98 can be entered. Click OK to save 
your information. 
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Table 2-15 Control evaluation fields 


Field 

Value 

Description 

Evaluation 

► Ineffective 

► Effective 

► None 

This is where you make your judgement call on 
control effectiveness based on the test procedure 
evaluations. 

Frequency 

► Annually 

► Daily 

► Monthly 

► Multiple-Times Daily 

► Quarterly 

► Semi-Annually 

► Weekly 

This is the control evaluation frequency for your 
control. 

Next Evaluation Date* 

Date 

This field is where you determine the next date for 
the evaluation of this particular control. Setting 
this due date might trigger mail alerts to inform 
control and procedure owners about the next 
evaluation. 

Rationale* 

Text 

This field enables you to document the rationale 
behind your selections. 

Evaluation Complete 

► Yes 

► No 

This is the key field that signifies whether the 
evaluation is complete. Selecting Yes sends data 
to the Reports and Executive View. 

* These fields are required. j 


After the control evaluation has been completed, the last step in the process is 
that someone, generally independent of the control testing, reviews the control 
evaluation and makes a determination of the impact of the control effectiveness 
result with a broad understanding of the subprocess and the relationship 
between controls. This is done by clicking the Control Observation button. 

The form in Figure 2-75 on page 99 opens. You can document the findings in the 
fields described in Table 2-16 on page 99. 
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Figure 2-75 Control observation form 


Table 2-16 Available fields for the control observation 


Field 

Value 

Description 

Impacts 

► Deficiency 

► Material Deficiency 

► Significant Deficiency 

► N/A 

This is where you determine the impact of an 
ineffective control against your financials. 

This drives information to the Control Status 
report in the Executive View. 

Deficiency 

Text 

This is where you can write detailed 
documentation about the deficiency of the 
control. 

Implication 

Text 

Here, you document the implication of the 
control on your business. 
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Field 

Value 

Description 

Recommendation 

Text 

This is where you document any 
recommendation about mitigating, replacing, 
or improving the control. 

Mitigating control 

Text 

Here, you document the mitigating control. 

Mitigated (Y/N)? 

► Yes 

► No 

Use this selection to flag whether or not this 
control has been mitigated. This drives 
information in the Overall Control 

Effectiveness report in the Executive View. 

Follow-up Date 

Date 

Finally, you select the next follow-up date to 
review this mitigation plan. Setting this date 
drives the Controls with Follow-up component 
of the Executive View. 


After these are recorded, they are stored in the database and a report called 
Observations and Recommendations can be generated from the Reports tab. 
For more information about reports, see 2.9, “Reporting and monitoring” on 
page 103. 

Control observations can also be used for effective controls (not just ineffective). 
For effective controls, the control observation can be used to record observations 
and recommendations for improvements. 


2.8 Certification functionality 

Section 302 requires certification of quarterly and annual financial statements as 
part of U.S. Securities and Exchange Commission (SEC) filings. In addition, 
external auditors might require accuracy attestation on key customer, financial, 
or vendor accounts. IBM Workplace for Business Controls and Reporting 
implements certification from the bottom up by enabling you to certify controls, 
processes, business units, and your parent organization. 

After the procedures and a control have been evaluated, the controls can be 
certified by clicking the Certify Control button. When you select that button, a 
pop-up window shows a certification warning, as shown in Figure 2-76 on 
page 101. 
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Figure 2-76 Certification message 


Click OK and a certification comments box opens, as shown in Figure 2-77 on 
page 102. Here, you can document anything you need to about the control 
certification. After you complete the certification, that information is stored on the 
control details, as shown in Figure 2-78 on page 102. 
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Figure 2-77 Certification comments 



Figure 2-78 Certification status 

This procedure can be repeated at the following levels until you reach the top 
level organizational unit: control, process, business unit, top-level business unit. 
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Note: There is not currently a report that provides you a consolidated view of 
certification. You either have to create a custom report to view the status of 
the certification, or manually view the information per object in the system. A 
sample Certification report is available as an additional material with this 
Redpaper to give you an impression of what such a report might look like. See 
Appendix B, “Adding custom reports” on page 201 for information about how 
to make this sample available. 


2.9 Reporting and monitoring 

Reporting occurs throughout the process and not just at the end. IBM Workplace 
for Business Controls and Reporting supports reporting at each of the three 
previously discussed steps in the software methodology: scoping, 
documentation, and evaluation. 

IBM Workplace for Business Controls and Reporting supports reporting through 
two methods, which we describe in detail in this section: 

► Executive Views: A graphically based scorecard that shows the overall status 
of a control framework. It is geared toward business unit owners. 

► Standard reports: Predesigned, text-based reports about various objects 
within the system. These reports are aimed toward the other user roles. 

IBM Workplace for Business Controls and Reporting is supported by the 
following third-party reporting vendors and ships with five limited licenses of 
Crystal Reports in the box today: 

► Crystal Reports 

► Hyperion 

► Cognos 

► MicroStrategy 

► Actuate 

Standard reports for Crystal Reports are shipped with the application. Standard 
reports for other supported vendors are available through download from the 
respective companies. Check with your local reporting representative. 

It is important to understand the standard reports that are available with the 
application and determine additional reporting functionality that would be suited 
for your situation and control management process. After you define your 
additional reporting needs, you can create custom reports based on your 
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knowledge of the reporting engine that you implement within IBM Workplace for 
Business Controls and Reporting. 


We discuss custom reporting further in Appendix B, “Adding custom reports” on 
page 201. 

For the remainder of this section, we discuss the Executive View and the 
standard reports. 

Executive View 

The Executive View provides insight as to what has been done, what still needs 
to be done, what is effective, and what is ineffective. You can view the Executive 
View for any business unit level you have access to as defined within the 
application. This enables you to narrow or widen the scope on which you want to 
report. 


Example: If you generate an Executive View report with a scope of the parent 
company, all information from the business units below it is rolled up into the 
view. Conversely, if you wanted to narrow the scope of the report, you can 
create an Executive View for the finance business unit only. 


Note: Reporting is in real time, and the reports are generated from the current 
information on the fly every time you run a report. 


Let us look at the Executive View of our parent company ACME in this example: 

1. Go to the Executive View tab. 

2. Select the business unit on which you want to report through the tree or 
children portlet. This sends the details into the Detail window, as shown in 
Figure 2-79 on page 105. 


104 


IBM Workplace for Business Controls and Reporting: Administration and Operations Best Practices 






3. Click Show Executive View. This opens a new browser window and loads 
the Executive View report, as shown in Figure 2-80 on page 106. 
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The Executive View consists of four quadrants. The two charts at the top of this 
report come from an overall reporting perspective, and the bottom two reports 
come from a project management focus. In addition, you can drill down in this 
report to view the details behind it. 

The four quadrants contain the following views: 

► Overall Control Effectiveness: This is a pie chart that shows the number and 
percent of: 

- Controls that have not been evaluated 
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Controls that have been evaluated and are considered to be effective 


- Ineffective controls that have some form of mitigation 

- Ineffective controls that have no mitigation 


Note: For the Executive View reports, the following definitions apply: 

► An Effective Control is a control where the effectiveness field is set to 
Effective or None and there is an evaluation record for the control. 

► An Ineffective Control is a control where the effectiveness field is set to 
Ineffective and there is an evaluation record for the control. 

► Ineffective with Mitigation is an ineffective control where the 
observation is mitigated. 

► Ineffective with no Mitigation is an ineffective control where there is 
either no observation record, or the mitigated field is set to 0. 

► A Not Tested control is a control that does not have an evaluation 
record for the control. 


► Control Status: The upper-right quadrant provides information about the level 
of deficiency for those controls that have been evaluated ineffective, those 
that lead to minor deficiencies versus significant deficiencies or even material 
ones. 

You can drill down for more details by clicking the links for those with controls 
with mitigation, controls added after documentation was set to “complete,” 
and controls removed from the system (the Controls with Mitigation, Controls 
Added, and Controls Removed links, respectively). Figure 2-81 on page 108 
shows an example of the drill-down report. 

You will also notice two buttons on this window: PDF and Excel. Clicking 
either of these buttons enables you to export and save any report in the 
system in either of those formats, essentially enabling you to capture a 
snapshot of the data at a given moment in time. 
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Figure 2-81 Controls with Mitigation Detail report from the Executive View 


► Evaluation Status is the chart in the lower-left corner. This is where to get 
more information about control evaluation. You can look at the status broken 
down per business unit reporting up to the parent company. In this example, 
finance has evaluated close to 10% of controls, while manufacturing (yellow) 
have evaluated close to 15%. Inventory has barely started evaluating. To get 
even more information, you can now drill down again by clicking this chart to 
get the detail reports. Figure 2-82 on page 109 is an example of this. 
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Figure 2-82 Evaluation Status Detail 


► Controls with Follow-Up is where you find controls by business unit that show 
the follow-up in three columns: 

- Not Tested: This represents the number of controls that have not yet been 
tested. 

- Past Due: Those controls that have a past due status for follow-up. 

- Next 30 days: Those controls for which a follow-up date is due within the 
next 30 days. 

In this chart, any of the numbers are hot links. You have the ability to see any 
details behind those numbers. Figure 2-83 on page 110 displays the results of 
clicking a number in the Controls Past Due column. We can now see details 
about that control, specifically, who is the owner, and we can communicate 
with them and find out why follow-up is past due. 


Chapter 2. IBM Workplace for Business Controls and Reporting functional operations 109 


















WBCR - Executive View Detail ? 

I * Return to Executive View ] 

Executive View Detail: Controls with Follow-up - Past Due 

fpLeorJ foLatcrt] 



Figure 2-83 Controls with Follow-up - Past Due Detail 


Standard reports 

Standard reports are accessed from the Reports tab within the application and 
are generated based on the business unit that you select within this tab. 

Figure 2-84 on page 111 shows the Reports tab after selecting North American 
Operations. The children portlet now provides you with a Business Unit tab and 
a Reports tab. Selecting the Reports tab provides you with a list of all the reports 
you can run on the fly. In this example, all of these reports are automatically 
scoped to aggregate up to the North American Operations level. In Figure 2-84 
on page 111, you see the reports available from this tab and a good description 
of each report. 


Tip: Custom reports can be added to this list. For examples and steps, see 
Appendix B, “Adding custom reports” on page 201. 
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Figure 2-84 Reports list 
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Some examples of reports from this list include: 

► Documentation Status 

For each node in the organization that is not considered Not Important, the 
Documentation Completed status is shown. Figure 2-85 shows an example of 
a Documentation Status report. 
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Figure 2-85 Example of a Documentation Status report 


112 IBM Workplace for Business Controls and Reporting: Administration and Operations Best Practices 











► Linking Matrix 

This report lists process and controls relative to income statement items. It 
shows what controls are associated with what line items in the financial 
reports including the financial assertions. Figure 2-86 shows an example of a 
Linking Matrix report. 
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Figure 2-86 Example of the Unking Matrix report 


► Observations and Recommendations 

This report is generated by querying for controls that are not effective and 
have the selected impact within a selected organization. Figure 2-87 on 
page 114 shows an example Observations and Recommendations report. 
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You can select an impact type or all of them (Material Deficiency, Deficiency, 
Significant Deficiency, or All). 

The Observations and Recommendations report data is grouped by the 
process/subprocess within an organization. 

For each subprocess, a grid is shown with the following columns: 

- Control 

- Deficiency 

- Implications 

- Mitigating Control 

- Recommendations 

- Impact 

- Owner 



Reporting functionality in Version 2.5.1 

Version 2.5.1 offers a new reporting option for our customers, in addition to 
Business Objects (Crystal Reports), Hyperion, Cognos, and so on, by including 
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IBM DB2 Alphablox in the box with IBM Workplace for Business Controls and 
Reporting. This provides the ability for our customers to build and embed their 
own reports for IBM Workplace for Business Controls and Reporting. Due to the 
limitation of time between the acquisition of Alphablox and the shipment of 
Version 2.5.1 no standard reports were included. However, in the future 
versions, expect more integration between the two applications. 
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3 


IBM Workplace for Business 
Controls and Reporting 
administration 


This chapter describes the technical and functional responsibilities of the 
administrator for an IBM Workplace for Business Controls and Reporting system. 
We discuss the demarcation of the IBM WebSphere Portal administration and 
Workplace for Business Controls and Reporting-specific responsibilities. This 
chapter covers the following topics: 

► WebSphere Portal administration versus Workplace for Business Controls 
and Reporting administration 

► Access control 

► Defining the financial year 

► Catalogs and data import 

► Global settings 

► Label Manager 

► Versioning and archiving 

► Scheduling asynchronous tasks 

► Enabling notification rules 


© Copyright IBM Corp. 2005. All rights reserved. 
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3.1 Administrative responsibilities 

When IBM Workplace for Business Controls and Reporting is installed, it adds an 
administrative component to the WebSphere Portal Administration page. The 
administration of a complete Workplace for Business Controls and Reporting 
system can involve many different tasks depending on the type of deployment, 
configuration, and environment. It can include technical responsibilities related to 
administrating: 

► IBM WebSphere Application Server and the HTTP server 

► WebSphere Portal server 

► LDAP directory 

► DB2UDB 

► DB2 Content Manager 

► The reporting engine 

In most cases, responsibilities in these areas are clearly demarcated, and we do 
not discuss any of the specific technical responsibilities related to the day-to-day 
availability, administration, and monitoring of these components. Refer to 4.3, 
“Expertise and skills required” on page 191 for a list of suggested readings and 
classes available for some of these applications. 

In some deployments, Workplace for Business Controls and Reporting might run 
as a stand-alone portal instance, in which case, the Workplace for Business 
Controls and Reporting administrator can have extended responsibilities and 
becomes synonymous with the WebSphere Portal administrator. For the purpose 
of this Redpaper, we focus, however, on those administrative tasks that are 
directly related to managing the Workplace for Business Controls and Reporting 
system itself through functionality provided by the application. In some cases, 
access to the WebSphere Portal Administration page is required. We indicate 
where this is the case so that the Workplace for Business Controls and Reporting 
administrator can coordinate with the Portal administrator. 


3.1.1 Separating Workplace for Business Controls and Reporting 
administrator access from Portal administrator access 

Often, the Workplace for Business Controls and Reporting administrator function 
will be a responsibility separate from the WebSphere Portal administration role. 
However, because of the way Workplace for Business Controls and Reporting 
integrates the Workplace for Business Controls and Reporting administration 
with the Portal Administration page, the Workplace for Business Controls and 
Reporting administrator needs to be a member of the wpsadmins group in order 
to get to the administrator pages. Many customers want to restrict access for the 
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IBM Workplace for Business Controls and Reporting administrator to Workplace 
for Business Controls and Reporting-specific functions only. 

To set up the Workplace for Business Controls and Reporting system such that 
the Workplace for Business Controls and Reporting administrator (for example, 
wbcradmin) has access only to specific functions, perform the following steps: 

1. Log in to WebSphere Portal as the Portal administration user (for example, 
wpsadmin). 

2. Navigate to Administration -> Access -> Users and Groups. 

3. Select the All Portal Users group. 

4. Create a new group (for example, wbcradmins). 

We now configure the access control lists (ACLs) for this new group so that it 
has access to the Administration page and just the Workplace for Business 
Controls and Reporting Administration portlets. 

5. Navigate to Administration -> Access -> Users and Groups Permissions. 

6. Select User Groups and select the group you created in step 4 for the 
Workplace for Business Controls and Reporting administrator users. 

7. Select Pages for the Resource Type and navigate to Content Root 
Administration -> WBCR Administration. Select Assign Access for the 
Workplace for Business Controls and Reporting Administration page, as 
shown in Figure 3-1 on page 120. 
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Figure 3-1 Assign wbcradmins access to the Administration page 

8. As shown in Figure 3-2 on page 121, select the User role under the Explicitly 
Assigned column. Click OK, and then Done to save and return to the 
Resource Type level. 
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Figure 3-2 Assign User role permissions 


9. Next, we need our wbcradmins group to be able to view all the Workplace for 
Business Controls and Reporting Administration portlets. Select Portlets 
under the Resource Type. 

10.Search for Scheduler and explicitly assign the User role for your wbcradmins 
group. Repeat this step for all of the following Workplace for Business 
Controls and Reporting Administration portlets: 

- Scheduler 

- Notification Manager 

- Label Manager 

- Global Settings 

- Fiscal Year 

- Import 

- Access Control Administration 
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11 .Now that we created the Workplace for Business Controls and Reporting 
administrator user group and configured the page and portlets permissions 
for this group, we need to add the Workplace for Business Controls and 
Reporting Administrative users to this group. Navigate to Administration -» 
Access -> Users and Groups. 

12.Search for and the select the wbcradmins group you created. Click Add 
Member, search, and add the Workplace for Business Controls and 
Reporting administrator users to this group. 


Note: Rather than having named users for the Workplace for Business 
Controls and Reporting administrator role, you might want to create a new 
user, such as wbcradmin. 


13. Workplace for Business Controls and Reporting also deploys a set of internal 
roles (see 3.2, “IBM Workplace for Business Controls and Reporting access 
control” on page 125). Users who are Workplace for Business Controls and 
Reporting administrators must also be a member of the Workplace for 
Business Controls and Reporting global role administrator. 

14. Navigate to WBCR Administration -> Access Control. Select 
Administrator, and then click the Edit icon. Search for user names (for 
example, wbcradmin) and add them to the administrator role. See Figure 3-3 
on page 123. 
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Figure 3-3 Assign wbcradmin to the administrator role 

All users added to the wbcradmins group should now be able to log in to 
WebSphere Portal and see the Administration link and be able to use only the 
Workplace for Business Controls and Reporting Administration portlets, as 
displayed in Figure 3-4 on page 124. 
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Figure 3-4 wbcradmin can only access Workplace for Business Controls and Reporting 


3.1.2 Changes to administration in IBM Workplace for Business 
Controls and Reporting Version 2.5.1 

The IBM Workplace for Business Controls and Reporting 2.5.1 release provides 
an inherent distinction between the WebSphere Portal administration and 
Workplace for Business Controls and Reporting administration by moving most 
of the Workplace for Business Controls and Reporting-specific administrative 
functions to a separate tab within the application interface. Scheduling 
functionality and configuration settings for the SMTP server responsible for 
sending notifications and alerts remains under the Portal administration. All other 
Workplace for Business Controls and Reporting administrative functions are 
accessible through the Workplace for Business Controls and Reporting Settings 
tab for users in the role of Workplace for Business Controls and Reporting 
administrator, as shown in Figure 3-5 on page 125. 
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Figure 3-5 IBM Workplace for Business Controls and Reporting V2.5.1 Settings tab 


3.2 IBM Workplace for Business Controls and Reporting 
access control 

The IBM Workplace for Business Controls and Reporting administration area for 
access control is used by the Workplace for Business Controls and Reporting 
administrator to: 

► Add members to the IBM Workplace for Business Controls and Reporting 

global roles 

► View and inspect privileges for the IBM Workplace for Business Controls and 
Reporting default roles 

► Define and maintain custom IBM Workplace for Business Controls and 
Reporting roles and privileges 
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Note: IBM Workplace for Business Controls and Reporting does not deal with 
authentication and access to the WebSphere Portal pages and Workplace for 
Business Controls and Reporting portlets on those pages. Authentication is 
handled by Portal itself and access permission to Workplace for Business 
Controls and Reporting pages and portlets is dealt with by the Portal 
administrator. To create groups and grant these groups access to individual 
Workplace for Business Controls and Reporting pages, the steps are similar to 
those described in 3.1.1, “Separating Workplace for Business Controls and 
Reporting administrator access from Portal administrator access” on 
page 118. 


3.2.1 Understanding the role-based access control model 

IBM Workplace for Business Controls and Reporting implements a role-based 
access control model. Access control provides the necessary protection for all 
data resources, including all records in the IBM Workplace for Business Controls 
and Reporting data model, static catalog data model, and administrative data 
model. IBM Workplace for Business Controls and Reporting defines default roles 
for common members of an organization and provides the ability for Workplace 
for Business Controls and Reporting administrators to define custom roles. 

► A role in IBM Workplace for Business Controls and Reporting is a set of 
permissions. 

► A permission defines what action types can be performed on a specific 
resource type. 

► Action types are: 

- Read 

- Edit 

- No Access 

► Resource types can be: 

- Objects (business unit, process, subprocess, objective, risk, control, 
procedure, sample, evaluation) 

- Attributes of an object 

- Global settings 

► The access control list (ACL) maps a role to a specific user and a specific 
object. 

As an example, the ACL table can contain an entry specifying that user Celia 
Ortez is in the role of organization owner for the business unit object Finance. 
IBM Workplace for Business Controls and Reporting can then derive from the 
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role definition what actions Celia is able to perform on this resource and 
resources associated with the Finance business unit object. The example in 
Figure 3-6 shows the set of permissions for the organization owner role. 



Figure 3-6 Celia Ortez is organization owner of Finance unit 

The Workplace for Business Controls and Reporting Administrator can inspect 
the organization owner role to see exactly what Celia is able to do with the 
Finance unit and its dependent objects: 

1. Log in as the Workplace for Business Controls and Reporting administrator. 

2. Navigate to Administration -> WBCR Administration -> Access Control. 

3. Select Role Management. 

4. Click the View icon next to Organization Owner. 

Figure 3-7 on page 128 shows the resource permissions for the organization 
owner. 
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Figure 3-7 Inspecting the Resource Permissions for Organization Owner role 


Table 3-1 shows the implications of the resource permissions associated with the 
organization owner role. 

As an organization owner, Celia will be able to perform the actions described in 
Table 3-1. 


Table 3-1 Organization owner permissions example 


Access type: Resource 

Implication 

Edit: Organization object 

Edit the Finance unit and all business units defined below that level 
(for example, Treasury). 

Edit: Process object 

Edit and create processes defined below that unit (for example, 
Accounts Receivable). 

Edit: Subprocess object 

Edit and create Subprocesses defined below that unit (for example, 
Bad Debt). 

Edit: Objective object 

Edit and create objectives defined below that unit (for example, Bad 
debt is appropriately managed and monitored). 
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Access type: Resource 

Implication 

Edit: Risk object 

Edit and create risks defined below that unit (for example, Bad debt 
may go uncollected). 

Edit: Control object 

Edit and create controls defined below that unit (for example, Only 
authorized users have the ability...). 

Edit: ControlObeservation object 

Edit and create control observations for any control defined below 
that unit. 

Edit: ControlEvaluation object 

Edit and create control evaluations for any control defined below 
that unit. 

View: AuditorObservation object 

View any auditor control observation below that unit. 

Edit: Procedure object 

Edit and create procedures for any control defined below that unit. 

Edit: Sample object 

Edit and create samples for any procedure defined below that unit. 

Edit: Certification object 

Certify the unit itself and any other unit, process, and control defined 
below that unit. 

No Access: Key Control attribute 

Cannot select or clear the controls “For Evaluation” under that unit. 

No Access: Control Impact 
attribute 

Cannot edit the Impact field on any control observation below that 
unit. 

No Access: Control Frequency 
attribute 

Cannot edit the control execution frequency on any control 
evaluation below that unit. 

No Access: Control Next 

Evaluation attribute 

Cannot edit the next evaluation date on any control evaluation 
below that unit. 

Edit: ACL 

Edit the ownership and delegation for any object defined below that 
unit. 

Edit: ChildNodes 

Can create new business unit and processes below that unit. 

No Access: Configuration 

Does not have access to global settings, financial year definition, or 
notification rules. 

No Access: Import 

Cannot load or reload catalogs into the system. 

No Access: Version 

Cannot create versions. 

No Access: Financial 

Cannot edit or create financial statements. 
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3.2.2 Inheritance and traversability 

A user inherits access to any object below the one at which explicit ownership 
has been granted. What the user is able to do with the indirectly owned objects is 
determined by the role. Traversability is required by the tree-like navigation: The 
user will have read access in a direct line up the tree in order to be able to 
understand the overall context and drill down to the objects the user owns. 

In the following example shown in Figure 3-8, Mary owns Finance, has inherited 
access to all object nodes below Finance, and has traversability (read) access to 
EMEA and ACME. John owns Subprocess 2 and has traversability (read) access 
to Process 2, Finance, EMEA, and ACME. 



3.2.3 Default roles 

IBM Workplace for Business Controls and Reporting comes with 13 
out-of-the-box roles with predefined privileges that provide out-of-the-box 
security. In Release 2.5.01, these privileges cannot be modified. In the 2.5.1 
version, these default privileges can be changed. 

Global roles 

Global roles are those roles that are not associated with any specific IBM 
Workplace for Business Controls and Reporting object (business unit, process, 
subprocess, control, procedure). Members of global roles are added through the 
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IBM Workplace for Business Controls and Reporting administrative interface and 
have system wide applicability. The following list describes global roles: 

► Administrator 


Users added to the IBM Workplace for Business Controls and Reporting 
administrator role will have access to any object in the IBM Workplace for 
Business Controls and Reporting system, including the meta functions. All of 
the privileges in the administrator role are set to Edit. 

After installation, the IBM Workplace for Business Controls and Reporting 
administrator will already have been added to this role. We recommend that 
you add at least one more user with Workplace for Business Controls and 
Reporting administration access as a backup. 

► Auditor 

The intention of the global auditor role is to provide users added to the IBM 
Workplace for Business Controls and Reporting auditor role with read access 
to any object in the IBM Workplace for Business Controls and Reporting 
system. In addition these, users will be able to create auditor observations for 
any control in the system to provide the auditor’s perspective on a control’s 
effectiveness. 


Note: In the 2.5 release (including the 2.5.01 fix pack), adding members to 
the global auditor role does not work as intended. Adding users to the 
global auditor role through the IBM Workplace for Business Controls and 
Reporting administrative interface does not have any effect. To add users 
with auditor role, perform the following steps: 

1. Go to the Organization tab. 

2. Navigate to the business unit to which the intended user should have 
auditor access. Select the top parent unit for system-wide auditor 
access, or a specific business unit below the parent level to restrict the 
auditor access to that level and below. 

3. Switch to Edit mode. 

4. Click the pencil icon next to Delegates. 

5. Click Add Delegate. 

6. Search for user to be added by typing in part of the name. 

7. Select the user to be added in the auditor role and click OK. 

8. From the drop-down list next to the newly added user name, select 

Auditor. 

9. Click OK. 


Chapter 3. IBM Workplace for Business Controls and Reporting administration 131 




In the IBM Workplace for Business Controls and Reporting 2.5.1 release, 
users can be added to the global auditor role through the IBM Workplace for 
Business Controls and Reporting administrative interface. If the global setting 
“Allow System Wide Auditor Access” has been enabled (see “Additional 
global settings in IBM Workplace for Business Controls and Reporting V2.5.1” 
on page 145), nothing else needs to be done to provide these users with the 
auditor privileges throughout the IBM Workplace for Business Controls and 
Reporting system. If this global setting is disabled, users are added in auditor 
roles as described earlier for the IBM Workplace for Business Controls and 
Reporting 2.5 release. Adding members through the global role permissions 
will have no effect. 


Tip: If auditors need access only to specific parts of the organization, add 
auditors through the Organization tab by defining users as delegates in the 
auditor role at the appropriate business unit level. Only when using IBM 
Workplace for Business Controls and Reporting Version 2.5.1 and having 
all auditors by default with system-wide (read) access, will you be able to 
assign users to the global auditor role in the IBM Workplace for Business 
Controls and Reporting administrative interface. 


► Finance Owner 

Users added to the finance owner role will be able to create, edit, and delete 
financial statement captions and line items through the Financial Reports tab. 

Non-global roles 

IBM Workplace for Business Controls and Reporting provides 10 default 
non-global roles with predefined privileges. Members are added to these roles 
when specific objects are created in the IBM Workplace for Business Controls 
and Reporting hierarchy. In releases prior to IBM Workplace for Business 
Controls and Reporting Version 2.5.1, these roles and privileges cannot be 
modified. Version 2.5.1 supports customization of these roles by changing the 
privileges. The standard roles are: 

► Organization owner 

► Organization helper 

► Process owner 

► Process helper 

► Subprocess owner 

► Subprocess helper 

► Control owner 

► Control helper 


132 


IBM Workplace for Business Controls and Reporting: Administration and Operations Best Practices 




► Procedure owner 

► Procedure helper 

The privileges for each role are defined in such a way that owners and helpers at 
each resource level in the object hierarchy have at least view access to parent 
objects to ensure traversability. As an example, if the subprocess owner role had 
no access at the process level, a subprocess owner would not be able to drill 
down the tree to navigate to the owned resource. 


3.2.4 Custom-defined roles 

Custom roles can be defined in IBM Workplace for Business Controls and 
Reporting to meet specific customer with respect to the privileges groups of 
users might need to have in the IBM Workplace for Business Controls and 
Reporting application. For example, the standard role for auditor does not have 
privileges to evaluate controls. If an organization wanted to allow auditors to also 
evaluate controls, a custom role for auditors can be created. To add a custom 
role, perform the following steps: 

1. Navigate to WBCR Administration -> Access Control. 

2. Go to the Role Management tab. 

3. Click Add New Role. 

4. Type Auditor with Evaluation Rights in the Name field and provide 
optional description in the Description field. 

5. Set the privileges for each resource. Figure 3-5 on page 125 shows sample 
settings that allow auditors to view all objects and edit control evaluations, 
procedures, and samples. To also allow auditors to create control 
evaluations, procedures, and samples, this role needs to be granted Child 
Nodes Edit privileges. 
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Figure 3-9 Setting privileges 


6. Click OK to save the new role. 

This role is now available when assigning ownership to specific objects in the 
hierarchy. This particular role should only be used in the Delegates field and only 
at the Control level; this role should not be applied at higher levels in the 
hierarchy such as a Business Unit. The Child Nodes privilege, required to allow 
this role to create new procedures and samples, will have an undesired side 
effect, allowing the external auditor to create new child objects at that level (for 
example, new business units and processes). This is a caveat in the current 
role-based access model. 


Important: In the current release, this functionality should only be used after 
careful up-front planning and tested for unwanted side effects. Roles cannot 
be removed or edited after a member has been assigned to that role. 
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3.3 User interface 


In this section, we examine a range of settings that determine the general 
behavior of the application and the way information is displayed to end users. 
There are two administrative portlets under the user interface: 

► Global Settings 

General settings that affect the way the end user interacts with the 
application. 

► Customize Labels 

This enables the Workplace for Business Controls and Reporting 
administrator to customize labels, keyword values, and messages to match 
corporate language and terminology. 


Note: The overall look-and-feel of the Workplace for Business Controls and 
Reporting application can be customized by changing the themes and skins to 
match an organization’s corporate guidelines and standards. A theme is an 
interchangeable front end for a portal place. A theme controls elements such 
as the banner, navigation, and look and feel for a place. A skin is an 
interchangeable front end for a portlet. A skin controls elements such as the 
minimize and maximize icons, the title bar, and the background color or 
pattern. 

It is the WebSphere Portal administrator’s responsibility to apply a customized 
theme and skin to the portal if the default IBM Workplace for Business 
Controls and Reporting theme needs to be replaced. 


3.3.1 Global settings 

To navigate to the global settings, select WBCR Administration -> User 
Interface -> Global Settings. Figure 3-10 on page 136 shows the Global 
Settings window. 
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Enforcing financial linkage 

Sarbanes-Oxley Section 404 requires organizations to publish information in 
their annual reports concerning the scope and adequacy of the internal control 
structure and procedures for financial reporting. 

To help manage internal control over financial reporting, IBM Workplace for 
Business Controls and Reporting enables you to establish linkage such that 
subprocesses impacting financial statement line items can be linked to these 
items. Not all processes and their related controls, however, directly impact 
financial statement line items. Examples are processes and controls that impact 
the control environment or operations such as general IT controls. 

The settings for Financial linkage (Yes/No) and Show NONE financial statement 
Option, together, control if subprocesses must be linked to financial statement 
line items. 

In a very narrowly scoped system, in which only controls that impact financial 
reporting are documented, you might want to enforce financial linkage to make 
sure that each and every subprocess has a linkage. To configure IBM Workplace 
for Business Controls and Reporting to this narrow scope, perform the following 
steps: 

1 . Set Financial linkage to Yes. 

2. Set Show NONE financial statement Option to No. 

3. When these settings are changed, you need to log out of the portal and log 
back in order to see the changes take effect. 
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Using these global settings, a subprocess cannot be saved unless it is linked to 
at least one significant line item on the financial statements, as shown in 
Figure 3-11. 



Figure 3-11 Subprocess linked to financial statement based on global settings 


Restriction: Subprocesses can be imported from a catalog without financial 
linkage. Only when the imported subprocess is saved after being switched into 
edit mode will the financial linkage be enforced. 


Table 3-2 on page 138 displays the effects of all possible combinations of these 
settings. 
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Table 3-2 Financial Linkage settings 


Financial linkage 

Show NONE 

Impact 

Yes 

No 

Linkage enforced, but “None” cannot be 
selected as a financial statement option. 

No 

No 

None is not shown as an option but a 
subprocess can be saved without 
creating a linkage. 

Yes 

Yes 

Linkage enforced, but None (the 
default) can be selected as an option. 

No 

Yes 

Linkage is not enforced and None (the 
default) can be selected as an option. 
Effectively equivalent to the previous 
option. 


Displaying financial values 

In some cases, customers might not want to show the actual financial statement 
line item values (current year-end and previous year-end) when linkage is 
established for the subprocess. To hide financial values, change the (default) 
value from On to Off in the Financial Values field. See Figure 3-12 on page 139. 
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Figure 3-12 Financial statement values hidden when user establishes linkage 


Note: Any user with access to the standard reports will still be able to run the 
Linking Matrix report, which shows financial values regardless of the global 
setting. 


Enforcing Document Complete 

A process owner can switch the Documentation Complete value for a process 
from the initial No value to Yes to indicate that documentation for a process has 
been completed. 

The objects associated with that process can still be edited, but the 
Documentation Complete value cannot be switched back to No for that process. 
Only control evaluations for processes marked Documentation Complete are 
included in the executive dashboards and many of the other standard reports. 
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The global setting for Enforce Document Complete further affects the way 
switching the Documentation Complete value for a specific process impacts 
operations. 

With the global setting enabled, the business objects (process, subprocess, 
objective, risk, control) for the associated process can no longer be edited after 
Documentation Complete value is switched to Yes. 

With the global setting enabled, control owners can only start marking controls 
For Evaluation after the process owner switches the Documentation Complete 
value for the associated process to Yes. Note that only the control owner and 
control helper roles have the privilege to mark controls For Evaluation. 

However, this does not mean that controls cannot be evaluated. If the 
organization wants to assure that evaluation does not commence until the 
Documentation Complete for a process is set to Yes, perform the following steps: 

1. Set the global setting for Enforce Document Complete to Yes. 

2. Log in with WebSphere Portal administration access (or coordinate with the 
Portal administrator to make these changes). 

3. Navigate to Portal Administration ->• Portlets -» Manage Portlets. 

4. Search for portlets by entering WBCR in the Title contains field. 

5. Select WBCR - Evaluation Detail. 

6. Click Modify parameters. 

7. In the blank parameter field, define ShowAl 1 Control sForEval with a value of 
false. 

8. Click Add. 

9. Scroll to the bottom of the window and click Save. 

10.Scroll to the bottom of the window and click Cancel to return to the Portlets 
list. 

11 .Select WBCR - Evaluation Navigation from the Portlets list. 

12. Repeat steps 6-10. 

After making these changes, control owners will see no controls when they go to 
the Evaluation tab. When the process owner switches the process to 
Documentation Complete, the control owners can receive notification (see 
3.4.3, “Enabling mail rules” on page 154) and mark controls For Evaluation on 
the Documentation tab. On the Evaluation tab, only those controls marked For 
Evaluation are now available to be evaluated and tested. 
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Note: In the 2.5.1 release, the steps to add parameters to the portlets can be 
skipped. ShowAIIControIsForEval will be predefined as a portlet parameter 
and the value can be defined through the global settings (see “Additional 
global settings in IBM Workplace for Business Controls and Reporting V2.5.1” 
on page 145). 


Determining default owner for process import from catalogs 

This setting determines ownership when processes or subprocesses are 
imported from a catalog assuming the catalog does not specifically predefine 
owners for the objects in the process tree. 

If the default setting Log-in-User applies, the user who performs the import from 
a catalog will become the owner of the process (or subprocess) and its related 
business elements. 

If the default setting is changed to parent, the owner of the business unit will 
become the owner of the process and its related objects when the process is 
associated with that business unit by importing it from a catalog. If a subprocess 
is associated with an existing process object by importing the subprocess from a 
catalog, the process owner will become the owner of the subprocess and its 
related business objects. 

Displaying internal keys for labels 

When the Label Display Options field is changed to Key, all labels in the user 
interface will show the internal keys rather than the actual values to help the IBM 
Workplace for Business Controls and Reporting administrator determine which 
keys need to be modified in case label changes are required. Actual changes are 
made through the Label Manager component (see 3.3.2, “Customizing the IBM 
Workplace for Business Controls and Reporting labels” on page 148). 

As an example, suppose that the compliance team has seen the drop-down 
values for the Impact field on the Control Observation window and has 
determined that the term Material Deficiency needs to be customized to Material 
Weakness in order to match corporate terminology. As we will see, it can be 
challenging for the IBM Workplace for Business Controls and Reporting 
administrator to find out exactly which label or labels to change. After switching 
this global setting temporarily to Key and navigating to the Control Observation 
window for a control, we can now quickly determine that the label to be changed 
is wbcr.control.observation.label.impact.material_deficiency, as shown in 
Figure 3-13 on page 142. 
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Figure 3-13 Displaying keys rather than values 


Note: Use this setting with great caution and only when the system is not 
accessible for end users, because it will impact the user interface for all users. 


Hiding non-associated risks 

Even though the IBM Workplace for Business Controls and Reporting user 
interface shows risks hierarchically below objectives, in the IBM Workplace for 
Business Controls and Reporting data model, both risks and objectives are child 
objects to a subprocess. This allows for n:n relationships such that one risk can 
be associated with multiple objectives and one objective can be associated with 
multiple risks. The relationship is established through association. A user 
associates risks with an objective on the Documentation tab by selecting one or 
more risks for the currently selected objective. In Figure 3-14 on page 143, the 
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user has selected only one risk, Management does not review blocked sales 
transactions before further processing, to be associated with the objective 
“Unusual or sensitive documents are subject to further management review prior 
to posting.” The other risk, “Billing transactions are not recorded completely and/ 
or accurately in the general ledger,” in this particular example, would clearly be 
associated with the objective “All billing transactions are recorded in the general 
ledger correctly and completely.” 



Figure 3-14 Risk-objective associations on the Documentation tab 


On the Evaluation tab (Figure 3-15 on page 144), however, no matter what 
associations had been made during documentation, all risks will appear under 
each objective. This might be confusing for end users because there is no way of 
telling which risk is associated with which objective or objectives. 
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Figure 3-15 Both risks displayed under each objective 

To change the way risk-objective associations are displayed on the Evaluation 
tab, perform the following steps: 

1. Log in with WebSphere Portal administration access (or coordinate with the 
Portal administrator to make these changes). 

2. Navigate to Portal Administration ->• Portlets ->■ Manage Portlets. 

3. Search for portlets by entering WBCR in the Title contains field. 

4. Select WBCR - Evaluation Detail. 

5. Click Modify parameters. 

6. In the blank parameter field, define HideNonAssocRisksForEval with a value of 
true. 

7. Click Add. 

8. Scroll to the bottom of the window and click Save. 

9. Scroll to the bottom of the window and click Cancel to return to the Portlets 
list. 

10.Select WBCR - Evaluation Navigation from the Portlets list. 

11. Repeat steps 6-10. 
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Note: In the 2.5.1 release, the steps to add parameters to the portlets can be 
skipped. HideNonAssocRisksForEval will be predefined as a portlet parameter 
and the value can be defined through the global settings (see “Additional 
global settings in IBM Workplace for Business Controls and Reporting V2.5.1” 
on page 145). 


After setting the portlet parameters, the Evaluation tab (Figure 3-16) will only 
show the risks associated with an objective. 



Additional global settings in IBM Workplace for Business 
Controls and Reporting V2.5.1 

The 2.5.1 release supports a number of additional global settings. Many of these 
are related to new fields and functionality and whether to expose these attributes 
and functions. The window shown in Figure 3-17 on page 146 and Table 3-3 on 
page 146 provide an overview of these settings. We briefly cover only those 
global settings that are new in Version 2.5.1. 
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Table 3-3 Overview of new global settings 


Global setting 

Options 

Comment 

Default Control owner 

► Log-In-User (default) 

► Organization Parent 

► Process Owner 

Determines default ownership for controls 
imported from a catalog. 

On the Evaluation tab, 
display 

► All controls (default) 

► Only Key Controls 

► Only Controls marked 
“for Evaluation” 

Determines which controls will be displayed 
on Evaluation tab. In V2.5.1, no parameter 
changes to the portlets are required. In 
addition, control display can be filtered by a 
new attribute, Key Control. 
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Global setting 


Comment 

Show Control “For 
Evaluation” field 

► Yes (default) 

► No 

With the introduction of new field Key Control, 
the organization might decide to hide the “For 
Evaluation” options altogether. 

Show Control Fraud Field 

► Yes (default) 

► No 

New control attribute: Fraud Detection. 

The organization might want to hide this field 
if not used during current reporting period. 

Show Control Intention 

Field 

► Yes (default) 

► No 

New control attribute: Detective/Preventative 
The organization might want to hide this field 
if not used during current reporting period. 

The next four fields are 
related to showing 
Information Processing 
Assertions (CAVR) 

► Yes (default) 

► No 

New control attributes showing four check 
marks for Completeness, Accuracy, Validity, 
and (Access) Restriction for information 
processing. Some customers will use these 
attributes, but other organizations might want 
to hide these. 

Hide Nonassociated Risk 

► No (default) 

► Yes 

Setting this to Yes will only show risks 
associated with an objective on the 

Evaluation tab. In V2.5.1, no parameter 
changes to the portlets are required. 

Allow Process 

Attachments 

► Yes (default) 

► No 

IBM Workplace for Business Controls and 
Reporting V2.5.1 enables you to attach 
documents or reference URLs at the process 
level. Some organizations might want to 
restrict attachments to the subprocess and 
procedure levels supported in prior releases. 

During Versioning 

► Do not keep evaluation 
data (default) 

► Keep evaluation data 

► Only keep next 
evaluation date 

Provides more granular control over what 
happens with evaluation data during 
versioning. When a version is created, the 
default setting is to remove all evaluation 
data from the new current version. In IBM 
Workplace for Business Controls and 

Reporting V2.5.1, all evaluation data can be 
maintained in the new current version, or 
only the next control evaluation date can be 
kept. 

Support System-wide 
Auditors 

► No (default) 

► Yes 

If set to Yes, users can be added to the global 
auditors role and will have system-wide read 
access. If set to No, users can be added into 
the auditors role at the individual business 
object level to restrict an auditor’s access to a 
particular part of the organizational hierarchy. 
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3.3.2 Customizing the IBM Workplace for Business Controls and 
Reporting labels 

In this section, we examine how labels, keywords, and messages can be 
customized using the IBM Workplace for Business Controls and Reporting 
administrative Label Manager functionality. Keep in mind that no new fields can 
be added. In many cases, however, existing labels can be changed as long as 
changing the label does not affect the programming context. Labels can be field 
names, object names, column values, drop-down keywords values, button text, 
message components, and so on. Also, for keywords fields, the drop-down list 
values can be changed and new drop-down list values can be added to the list. 
Drop-down values can also be removed from keyword fields. Label Manager has 
provisions to manipulate labels for any of the IBM Workplace for Business 
Controls and Reporting supported language locales. 

The Customize Label portlet has three distinct areas: 

► Add labels: To add new drop-down values to existing keyword fields 

► Modify labels: To change existing labels 

► Remove labels: To remove existing or custom-added drop-down values from 
keyword lists 


Note: In IBM Workplace for Business Controls and Reporting Version 2.5.1, 
the Label Manager is also used to provide labels so that custom reports can 
be made user accessible from the IBM Workplace for Business Controls and 
Reporting Reports tab. For details about adding custom reports to the user 
interface, refer to “Making the new report available through the Workplace for 
Business Controls and Reporting interface” on page 209. 


Changing existing labels 

To change an existing label, you first need to find the internal key for the label. 
After you get familiar with the application and internal keys, you might just want 
to scroll the list of internal keys that can be changed to find the relevant ones. 
See “Displaying internal keys for labels” on page 141 for instructions about how 
the internal keys can be displayed in the user interface to help you determine 
which keys need to be modified. 

In the next example, we change the default label Material Deficiency used in the 
Control Observations Impact field to Material Weakness, a term much more 
commonly used. 

To change the label, perform the following steps (see Figure 3-18 on page 149): 
1 . Select the wbcr.control.observation.label.impact.material_deficiency 
label from the drop-down list in the Modify label section. 
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2. Select the locale (the default is English). 

3. Provide a New value for the label, Materi al Weakness. 

4. Click Modify label. 



A message (as displayed in Figure 3-19) appears at the top of the window to 
indicate whether the label was successfully updated. Version = -1 indicates that 
this label has been changed in the current version of the data set. Previous 
versions of the IBM Workplace for Business Controls and Reporting data set will 
have the original label. 



Figure 3-19 Message indicating that the label was successfully changed 
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Check that the label changed in the Impact field on the Control Observation 
window and also in the Executive View, the Observations and Recommendations 
report, and the Heat Map Details report (a drill-down from the COSO Heat Map 
report). 

If you need to change a term that references a standard IBM Workplace for 
Business Controls and Reporting object type (for example, change the term 
Subprocess to Transaction to match the corporate terminology), there is a large 
number of labels that need to be adapted, including the object type label itself, 
button labels, references to the term in messages, column headings, 
administrative windows, reports, and so on. In this example, it adds up to 
approximately 45 label changes for one language only. 


Tip: To change a label such as Subprocess, which is referenced in numerous 
places, start by scrolling down the list of internal keys, select any key that has 
subprocess as part of the dotted notation, and change the value appropriately. 

Next, step through all the portlets on all the tabs and generate samples of all 
reports to check whether you missed any references. 

Use the global settings to switch the display to show internal keys if necessary 
to determine which additional labels to change. 


Adding labels 

The Add labels section on the Label Manager window enables you to add new 
drop-down values to existing keyword fields. To extend on the previous example, 
we add a new value for Inconsequential to the Impact field on the Control 
Observation window. The current values are: 

► N/A 

► Deficiency 

► Significant Deficiency 

► Material Weakness (the value modified in “Changing existing labels” on 
page 148) 

To add a new label, perform the following steps (see Figure 3-20 on page 151): 

1. In the Add label field, locate the internal key prefix for the field, 
wbcr.control.observation.label.impact. 

2. Add a new suffix for the label, i nconsequenti al. 
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Note: The following restrictions apply to the suffix: 

► The suffix key of the label must be composed of the characters a-z, 
A-Z, _ and 0-9. 

► The suffix key of the label must not include the single quotation mark 
character. 

► The suffix key of the label must not include the backslash character. 

► Do not start the suffix with a dot; it will automatically be added. 

► The maximum length of a complete key (prefix and new suffix) cannot 
exceed 128 characters. 


3. Select the language locale (the default is English). 

4. Enter the new Value for this label, Inconsequenti al. 

5. Click Add label. 



In order make this change complete throughout the entire application, we have to 
update some of the reports, such as Executive View, Observations and 
Recommendations, and Heat Map, to see the addition of the new value. Refer to 
Appendix B, “Adding custom reports” on page 201 for ideas about how to get 
started. 

Removing labels 

Only labels that have the prefixes, which can be added in the Add label section, 
can be removed. Deleting such a label removes the value from the drop-down 
list. If a label gets dropped from the system, but users had previously selected 
that value, it will show up as ?? in the interface. 
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To remove a label, perform the following steps (see Figure 3-21): 

1. Select the label to be removed from the list under the Remove label, for 
example, wbcr.observation.label.impact.inconsequential. 

2. Select a specific language locale, or leave the default to remove the label for 
all languages at once. 

3. Click Remove label from all locales. 



3.4 Configuring notifications and alerts 

IBM Workplace for Business Controls and Reporting provides an elaborate set of 
e-mail notification rules that can be configured by the Workplace for Business 
Controls and Reporting administrator. The e-mail notifications help keep 
Workplace for Business Controls and Reporting users up-to-date on progress 
and changes in the objects for which they have responsibilities. The e-mail alerts 
can also inform the relevant stakeholders about control evaluations that are due 
or overdue. If set up the right way, the mail notifications and alerts will help align 
the workflow across the Workplace for Business Controls and Reporting stages 
of scoping, documentation, evaluation, and monitoring. The actual message 
content for the different types of notifications and alerts can be customized 
through the Label Manager (3.4.4, “Customizing mail messages” on page 157). 

3.4.1 Active versus passive notifications 

There are two types of mail notification rules: 

► Active rules are triggered when changes are made to objects. The active 
component of the Notification Manager sends e-mails to the relevant 
stakeholders immediately. An example of an active mail rule is a subprocess 
owner changing a risk rating that sends e-mail notifications to the owners of 
controls that mitigate that risk. 
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► Passive rules are tracked on a daily basis by the asynchronous component of 
the Notification Manager and sends the due and overdue notifications if the 
associated rules are enabled. An example of a passive rule is control owners 
are notified 10 days before a control evaluation is due, while subprocess 
owners are notified one day after a control evaluation was due. Scheduling of 
the passive task is done through the Scheduler component in the IBM 
Workplace for Business Controls and Reporting administration, as described 
in 3.7.2, “Scheduling mail notifications” on page 184. 

3.4.2 Defining the SMTP server 

To set up or make changes to the SMTP server, perform the following steps: 

1. Navigate to WBCR Administration -> Notifications. 

Note: In IBM Workplace for Business Controls and Reporting V2.5 and 
IBM Workplace for Business Controls and Reporting V2.5.01, the SMTP 
server settings are part of the same portlet where the mail rules are 
configured. In IBM Workplace for Business Controls and Reporting V2.5.1, 
these functions are separated such that configuring mail rules remains a 
Workplace for Business Controls and Reporting administrative task 
performed through the Settings tab, while defining the SMTP server is 
considered a WebSphere Portal administrative task accessible through the 
Portal Administration page. 

2. Scroll to the bottom of the window. 

3. Enter the SMTP mail server address (for example, 
acmemai 1 server.acme.com). 

4. Enter the SMTP mail server password if one is required. This is the password 
associated with the administrator's e-mail address. 

5. Enter the SMTP mail server port number. (Enter -1 to use the default SMTP 
port.) 

6. Enter the administrator's e-mail address. This is the person who will appear in 
the From line of e-mails sent to users, for example, wbcradmi n@acme. com; John 
Doe <wbcradmin@acme.com>; "John Doe" <wbcradmin@acme.com>. 

7. Click Apply to apply the changes. 
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3.4.3 Enabling mail rules 


Note: After installation, all mail rules will be disabled by default. Caution is 
warranted when enabling rules, because the system might send large 
volumes of mail messages depending on the number of rules enabled, the 
types of recipients defined, and the level of activity in the database. Typically, 
during the documentation stage or initial stages of populating the system 
through imports, very few rules should be enabled to limit the number of 
messages being sent. 


Mail rules are defined per object type. Figure 3-22 shows the Notification portlet 
with the different object types as the tabs shown across the top of the portlet. 



For each object type, a number of rules can be enabled based on attribute 
changes. One or more recipient types can be selected for each rule. 
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Owners of the various business objects (business unit, process, subprocess, 
control, procedure) can receive notifications for the field or attribute changes 
shown in Table 3-4. 


Table 3-4 Field or attribute changes 


Object type 

Field changes 

Business Unit 

► Name 

► Owner 

► Delegates 

► Scope 

Process 

► Name 

► Owner 

► Delegates 

► Documentation Complete 

Subprocess 

► Name 

► Owner 

► Delegates 

► Financial Linkage changes 

Objective 

► Name 

Risk 

► Name 

► Rating 

► Objective-Risk 

Control 

► Name 

► Owner 

► Delegates 

► Rating 

► Control Type 

Test Procedure 

► Name 

► Owner 

► Delegates 

► Sample Size 

► New Sample Added 

Import 

Changes caused by reimport (dynamic 
update) 

New Catalog or New Catalog is 
reimported 

Control Evaluations (passive) 

1, 10, 30 days before due 

1, 10, 30 days after due 
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Example 

The following example shows how to set up a mail rule that will inform the 
subprocess owners and control owners when a process owner changes the 
Documentation Complete value from No to Yes for a specific process (for 
example, Accounts Receivable). Assuming that the global setting for 
documentation complete is enforced (see 3.3.1, “Global settings” on 
page 135), control owners will know that they can start marking controls For 
Evaluation, at which point, actual testing can start. To set up the mail rule, 
perform the following steps (see Figure 3-23): 

1. Navigate to WBCR Administration -> Notifications. 

2. Go to the Process tab. 

3. From the Documentation complete changes list, select Control Owner, and 
then hold down the Control key and select Subprocess Owner. 

4. Click Apply. 



Figure 3-23 Sample mail rule for Documentation Complete changes 


With this rule enabled, as soon as Matsihuru Adachi, a process owner, saves the 
Accounts Receivable process object after switching the Documentation 
Complete field from No to Yes, the Notification Manager component checks 
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whether the rule is enabled, who to inform, constructs the relevant message, and 
sends it through the SMTP mail server. 

Cathy Cee, one of the control owners defined for the accounts receivable 
process, receives the message shown in Figure 3-24. 



Figure 3-24 Sample mail message sent after Documentation Complete was changed 


Tip: When new objects are created, the active rules are also triggered. To 
inform a user that he or she is now the owner of a newly created process, you 
enable the rule to notify process owners when the Owner field for the process 
object type changes. 


3.4.4 Customizing mail messages 

There is some capability to control the contents of the subject and body of the 
messages that are sent by customizing labels with the Label Manager 
component. All labels related to the mail messages start with the dotted notation 
prefix wbcr.notifications.label. 

The overall structure of the messages is fixed. You cannot change the order in 
which the various label elements are being used to construct the message. Nor 
can you change which label elements will be included in the message. You can, 
however, change the label values as long as you keep in mind that many of the 
labels are used across different notification events, that is, in many cases, the 
labels have to be sufficiently generic to be used across multiple events. 

If you need to find out which label elements are used in a specific message, use 
the global settings to display the keys rather than the values, and then make a 
change so that a sample message will be sent. The mail notification will be sent 
with the label content rather than the actual values, so you will be able to see 
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what can be changed and which labels to look for in the Label Manager, as 
shown in Example 3-1. The elements shown in bold can be customized but will 
be applied to all messages sent because of attribute changes. Elements in bold 
italic can be customized and are specific to the message sent because of the 
change in the Documentation Complete field. 

All messages and alerts have a label that enables you to add a piece of generic 
text at the bottom of the body content, in this case, whatever text string you apply 
as the value for the wbcr.notifications.label.email.body.extra_active label (for, 
example, Help ACME become 100% compliant by year end!) will be appended to 
all actively triggered messages. 

Example 3-1 Message sent with labels rather than values 
Subject: 

wbcr.notifications.label.email.subj.prefix 

wbcr.notifications.label.email.subj.change: wbcr.process.label.process - 
wbcr.notifications.label.email.process_doc_complete 

Body: 

wbcr.notifications.label.email.body.intro 

wbcr.notifications.label.email.body.item_type wbcr.process.label.process 
wbcr.notifications.label.email.body.itemname Accounts Payable 
wbcr.notification s.1abel.emai1.body.itemattrtype 
wbcr.notifications.label.email.process_doc_complete 
wbcr.notifications.label.email.body.action 
wbcr.notifications.label.email.act.fi eldchg 
wbcr.notifications.label.email.body.newvalue 
wbcr.notifications.label.email.process_doc_complete - 
wbcr.process.select.doccompl ete.yes 

wbcr.notifications.label.email.body.who "mitsuhiru adachi" 
<mitsuhiru_adachi@acme.com> 

wbcr.notifications.label.email.body.when Jun 16, 2005 2:04:43 PM EDT 
wbcr.notifications.1abel.emai1.body.extra_active 


3.5 Import 

Most organizations already have large parts or all of their documentation and 
control matrixes completed. Some organizations might be migrating to IBM 
Workplace for Business Controls and Reporting from a spreadsheet-based 
method, others might be migrating from another vendor’s or auditor’s tool. 
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In this section, we discuss two different ways to import existing data into the IBM 
Workplace for Business Controls and Reporting environment: 

► Catalog import 

A catalog is a centralized repository of process, subprocess, objective, risk, 
control, and procedure information. A catalog is first loaded into the system by 
the Workplace for Business Controls and Reporting administrator. After it is 
loaded, business unit owners can select processes and subprocesses from 
any of the catalogs made available and associate an instance of the selected 
process tree with the business unit. 

We recommend the use of catalogs when best practices, company standards, 
and guidelines need to be propagated across the enterprise. Obviously, 
catalogs are useful when the same processes and related controls are 
documented and evaluated in multiple locations. 

The catalog import also supports the concept of dynamic updates, allowing 
changes to the catalog to be automatically propagated to instances imported 
from those catalogs, helping reduce maintenance efforts and provide 
sustainable compliance over time. 

► Back-end data import 

The back-end data import enable you to batch-load large numbers of 
spreadsheets containing process, subprocess, objective, risk, control, and 
procedure information. Unlike a catalog import, the back-end import does not 
require end-user interaction and data will automatically be associated with 
designated business units. After the data is loaded, it can only be 
manipulated through the IBM Workplace for Business Controls and Reporting 
user interface; dynamic updates cannot be applied to data imported this way. 
We recommend the use of the data import mechanism when large amounts of 
data already exist or will be migrated from other tools. In general, the data 
import is the fastest way to populate the IBM Workplace for Business Controls 
and Reporting system. 

Populating the spreadsheets with data obviously is not strictly a responsibility of 
the IBM Workplace for Business Controls and Reporting administrator and will 
usually be done by a combination of people in the compliance project office, 
internal audit, and business unit managers. A description of the spreadsheet 
templates is included here for IBM Workplace for Business Controls and 
Reporting administrators to understand the structure and restrictions to help 
identify potential errors in the spreadsheet when it is loaded into the system. 
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Note: IBM Workplace for Business Controls and Reporting catalogs can be 
defined in a Microsoft Excel template, or alternatively as XML. We have not 
seen many instances where XML is used as a way to express control 
matrixes. Furthermore, XML-based catalogs in IBM Workplace for Business 
Controls and Reporting do not support the dynamic update concept and are 
not discussed as part of this Redpaper. See the IBM Workplace for Business 
Controls and Reporting Information Center for more information about XML 
schemas. 


3.5.1 Catalog import 

In this section, we describe: 

► Creating the control matrix in the IBM Workplace for Business Controls and 
Reporting spreadsheet format. 

► Importing the catalog into IBM Workplace for Business Controls and 
Reporting. 

► Importing a process instance from the catalog and associating it with a 
business unit (see also “Importing a process” on page 58). 

► Reimporting a catalog after making changes to the spreadsheet. 

► Effects of dynamic update. 

Catalog import spreadsheet template 

A spreadsheet template with sample data is included as additional material with 
this Redpaper. See Appendix C, “Additional material” on page 221 for more 
information. Download the CatalogSample.xls file. 

After downloading this file, open the CatalogSample file in Microsoft Excel. You 
can remove all the data from the three sheets except the column headers. Save 
the blank template. In this section, we also refer to some of the sample data. 

Depth-first traversing of tree 

Consider that your process structure looks similar to what is displayed in 
Figure 3-25 on page 161. It is important to understand that the import routine 
follows a depth-first traversing of the tree, that is, in your spreadsheet, all the 
elements of process 1 are defined above the elements for process 2. Likewise, 
all the elements for subprocess 1.1 are defined above the elements for 
subprocess 1.2. 

Partial tree structures can be imported, as long as the hierarchical order is 
followed. As an example, it is possible to define only a process, a subprocess, 
and three objectives for that subprocess, and then continue with the next 
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subprocess. This enables you to import documentation starting points but leave 
the risk identification and subsequent documentation of mitigating controls to the 
process owners after an instance of the partial structure has been associated 
with a business unit. 


| Cortrol 1.1.2.1 

. I 


Dbjactivs 1.2.1 Risk 1.2.2 

-' I 


Procedure 1.1.2.1.1 


1 Process 

1.1 Subprocess 

1.1.1 Objective 

1.1.2 Risk 

1.1.2.1 Control 

1.1.2.1.1 Procedure 

1.2 Subprocess 

1.2.1 Objective 

1.2.2 Risk 

1.2.2.1 Control 


Figure 3-25 When importing tree is traversed depth-first 


Understanding the risk-objective relationship 

It is important to also understand that the relationship between risks and 
objectives is not a parent-child relationship, even though the spreadsheet layout 
and the IBM Workplace for Business Controls and Reporting navigation tree 
might suggest this. As displayed in Figure 3-25, in the underlying IBM Workplace 
for Business Controls and Reporting data model, both risks and objectives are 
child objects of the subprocess. The relationship, which risk or risks have been 
identified for which objective or objectives, is established through association. 
This allows a risk to be associated with multiple objectives within the same 
subprocess and, vice versa, one objective to be associated with multiple risks 
within the same subprocess. 


Filling in the spreadsheet 

Data in the spreadsheet for a catalog import is laid out vertically. Each row 
represents an object type and its attributes. Figure 3-26 on page 162 shows a 
high-level abstraction of the spreadsheet. 
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Figure 3-26 Abstracted view of data layout for catalog import 

When imported, this data creates the following structure underneath the 
business unit where the instance is imported: 

Process 1 has two subprocesses. Subprocess 1 has two objectives. Risk 1 is 
associated with both objectives (on rows 4 and 5). Risk 1 has two defined 
controls. Control 2 has one defined test procedure. Risk 2 is associated with 
objective 2 (on row 5). Risk 2 has one defined control. 

We now discuss in detail the columns, possible values, and restrictions when 
filling out the Control Catalog Sheet of the spreadsheet template: 

► Column A: Type 

- Required: Yes. 

- Possible values: Process, Subprocess, Objective, Risk, Control, 
Procedure. 

► Column B: Outline 

- Required: No. 

- Applies to: All object types. 
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- This can be any outline scheme the organization wants to use. Often, this 
is used to cross-reference pieces of documentation, such as flowchart 
diagrams that will be attached to the subprocess. 

- We recommend using an outline numbering scheme that can be used to 
uniquely identify each object within a process. If an outline exists, the 
dynamic update will use it to identify imported objects that potentially need 
updating. If there is no outline, the dynamic update routine will use the 
object’s name, essentially making it impossible to change an object’s 
name through the dynamic update. 

► Column C: Name 

- Required: Yes. 

- Applies to: All object types. 

- The maximum number of characters is 512. If more characters are 
entered, these will not be imported. Consider setting up your template to 
validate the text length in column C (see Figure 3-27): 

i. Select Column C. 

ii. Select Data ->• Validation. 

iii. In the Validation criteria, select Text length, less than, and 512 so that 
the text length will be less than 512. 

iv. Click OK. 



Figure 3-27 Validating length in the Name column 

► Column D: Description 

- Required: No. 

- Applies to: All object types. 


Chapter 3. IBM Workplace for Business Controls and Reporting administration 


163 














- The maximum number of characters is 1024. Consider setting up a 
validation of the number of characters as part of the template. 

► Column E: Locked 

- Required: No. 

- Applies to: All object types. 

- Possible values: Yes, No (default). 

- An organization might want to lock down the definition, name, and 
attributes of specific objects in the catalog. After being imported from a 
catalog, a locked object cannot be modified through the IBM Workplace 
for Business Controls and Reporting interface. Updates to these objects 
are only possible by making changes in the spreadsheet and reloading it 
into IBM Workplace for Business Controls and Reporting. The dynamic 
update process applies the changes to the locked objects that have 
already been imported. 

► Column F: Owner 

- Required: No. 

- Applies to: Process, Subprocess, Control, Procedure. 

- Possible values: Only one value allowed. If left blank, ownership will be 
determined by the global setting for the default process owner (Version 
2.5) or the default control owner (Version 2.5.1 only). The user name can 
be entered as an e-mail address (jim_doe@acme.com), the short ID 
(jim_doe), or the fully qualified name (uid=jim_doe, cn=user, dc=acme, 
dc=com). 


Note: For control catalogs that are intended to be used in multiple 
locations across the enterprise, the Owner and Delegates fields will most 
likely be left blank, so ownership is determined during and after a business 
unit owner performs an import and associates a process instance with the 
business unit. In other cases, however, a control catalog might be very 
specific to particular business unit such that ownership can be predefined 
and maintained as part of the catalog. 


► Column G: Delegates 

- Required: No. 

- Applies to: Process, Subprocess, Control, Procedure. 

- Possible values: Multiple values are allowed. The user name can be 
entered as an e-mail address (jim_doe@acme.com), the short ID (jim_doe), 
or the fully qualified name (uid=jim_doe, cn=user, dc=acme, dc=com). 
Multiple names are separated by semicolons. 
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► Column H: Procedure.Frequency 

- Required: Not used in this release. 

- Leave the column blank. 

► Column I: Control.Component 

- Required: No, if left blank, value will be imported as None. 

- Applies to: Control. 

- Possible values: Control Environment, Risk Assessment, Control 
Activities, Information/Communication, Monitoring. 


Note: If additional labels have been added for the COSO component 
field through the Label Manager (see “Adding labels” on page 150), 
these additional choices are also valid options. For example, Objective 
Setting, Event Identification, and Risk Response from the COSO ERM 
framework can be included this way. 


- Consider adding validation for this column by listing the possible values. In 
the Source field, list the possible options, separated by commas, as 
shown in Figure 3-28. 



Figure 3-28 Adding Validation to the Spreadsheet column 
► Column J: Control.Type 

- Required: No, if left blank, value will be imported as None. 

- Applies to: Control object only. 
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- Possible values: Authorization, System Configuration, Exception / edit 
report, Interface / Conversion, Key Performance Indication, Management 
Review, Reconciliation, Segregation of Duties, System Access. 


Note: Exception / edit report, Interface / Conversion must be used 
exactly as shown: Lowercase e in edit report and spaces around the /. 


- If Label Manager was used to add custom values for the Type keywords 
field or to change existing keywords for this field, these are the values that 
can be entered in this column. Consider adding validation with the list of 
possible values, as described earlier for Control.Component. 

► Columns K-P: Financial Assertions (completeness, existence, presentation, 

accuracy, valuation, ownership, presentation) 

These six columns correspond to the six check marks for Financial Assertions 

on the control window. 

- Required: No. 

- Applies to: Control object only. 

- Possible values: Yes, No. 

- Column can be left blank, which is equivalent to a value of No. 

► Column Q - Objective.Risks 

- Required: No. 

- Applies to: Risk object only. 

- Possible values: Any row number above this risk that refers to an objective 
will create an association between this risk and the objective. The 
objective has to be part of the same subprocess. One risk can be 
associated with multiple objectives within the same subprocess. Multiple 
row numbers are separated by commas or semicolons. 

- After importing a process from a catalog, a risk that was associated with 
an objective will show the check mark selected, as shown in Figure 3-29 
on page 167. 


Note: Moving, removing, inserting rows will affect the references. 

Consider using formulas such as: 

=R0W(A4) & & =R0W(A18) 

Result: 4,18 
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Figure 3-29 Objective-risk association after import from catalog 

Financial statement linkage 

Optionally, the spreadsheet template can also be used to predefine the linkage 
between subprocesses and significant line items on the financial statements 
(income statement, balance sheet, and disclosures). 

When the spreadsheet is loaded into IBM Workplace for Business Controls and 
Reporting by the administrator, the captions and line items will not be visible yet 
to end users. Only when a user imports a subprocess that had predefined 
linkage in the catalog will the captions and line items be created in the financial 
statement database tables and become visible on the Financial Reports tab. 

The spreadsheet template contains three additional sheets for optional financial 
statements labeled: Income, Balance, Disclosure. 

We now discuss the columns, possible values, and restrictions on these sheets: 

► Column A: Type 

- Required: Yes. 

- Possible values: FinStmt, Category, Caption, Subcaption. 

- Type = Category can only be used for the balance sheet (that is, if column 
H FinStmt.Type contains Balance). 

► Column B: Category Label 

- Required: Yes. 

- Applies to: Category, Caption, Subcaption. 
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► Column C: Balancel 

- Required: No. 

- Applies to: Subcaption. 

► Column D: Balance2 

- Required: No. 

- Applies to: Subcaption. 

► Column E: Locked 

- Required: No. 

- Possible values: Yes, No (default). 

- When Locked = Yes, values can only be changed through the dynamic 
update. After they are imported, values cannot be changed through the 
IBM Workplace for Business Controls and Reporting user interface. 

► Column F: Subcaption.Significant 

- Required: No. 

- Applies to: Subcaption. 

- Possible values: Yes, No (default). 

- Subprocess linkage can only be established for subcaptions that are 
marked as Significant. We recommend that you only include those 
financial statement line items that are significant as part of the catalog. 

► Column G: Subcaption.Subprocess 

- Required: No. 

- Applies to: Subcaption. 

- Possible values: Any row number that references a subprocess object on 
the Control Catalog Sheet. When a business unit or process owner 
imports the referenced subprocess, the corresponding category (balance 
sheet only), caption, and subcaption will be created on the relevant 
financial statement. The linkage between that subprocess and significant 
line item will also be created at that time. 

- A significant line item can be associated with multiple subprocesses on 
the Control Catalog Sheet but have to be part of the same spreadsheet. 
Multiple row numbers are separated by commas or semicolons. 

- Multiple significant line items can reference the same subprocess. 


Note: Inserting, removing, or moving elements on the Control Catalog 
Sheet might have an impact on row number references. 
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► Column H: FinStmt.Type 

- Required: Yes. 

- Applies to: FinStmt only (that is, only requires a value if column A Type = 
FinStmt). 

- Possible values: Income, Balance, Disclosure. 

► Columns I - L: Not used 


Note: There are new fields for Workplace for Business Controls and Reporting 
V2.5.1: 

► Ref ID (mandatory unique identifier for non-financial data used in 
enhanced dynamic update model) 

► Control. KeyControl 

► Control. Fraud 

► Control. PreventType 

► Finstmt.Title3, Title4, 

► Finstmt.SubTitle3, SubTitle4, 

► Finstmt.Balance3, Balance4 

Importing the spreadsheet 

To import a completed spreadsheet into IBM Workplace for Business Controls 
and Reporting, perform the following steps: 

1. Navigate to WBCR Administration -» Import. 

2. Click Import Catalog. 

3. Fill out a description in the Description field (for example, Redpaper Sampl e 
Catalog). The descriptive name you provide here will be visible to end users 
when they select a catalog from which to import. See Figure 3-30 on 

page 170. 

4. Click Browse to select the spreadsheet from your local system. 

5. Click OK. 
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Figure 3-30 Specifying new catalog to be imported 


A message appears to inform you that the request has been sent to the server. 
You can click the Back link on this window to return to the list of catalogs. The 
new catalog will be appended as the last in the list. If necessary, use the page 
buttons at the bottom of the list to navigate to the last page in the list. 

Click Refresh to check whether the catalog imported successfully. If it did, you 
will see the new catalog at the bottom listed as Active, as shown in Figure 3-31. 

Business unit owners can now use the catalog to associate process instances 
with a business unit they own as described in “Importing a process” on page 58. 


| id Import Catalog J 



Description * File Name 

Creation Date 

Status 




Banking - Credit Risk and Lending 

2/5/05 1:33 PM 

Active 

m 

0 

M 

Anbev Sample 

2/5/05 1:33 PM 

Active 

m 

0 

m 

BTO-Joint Venture 

2/5/05 1:33 PM 

Active 

m 

0 

m 

BTO-General Accounting 

2/5/05 1:33 PM 

Active 

m 

0 

m 

CObIT control objectives COBIT Import25.xls 

4/22/05 1:19 PM 

Active 

m 

0 

91 

COSO Sample COSO Import25.xls 

5/18/05 3:53 PM 

Active 

m 

0 

m 

Redpaper Sample Catalog RedpaperSample.xls 

6/20/05 11:06 AM 

Active 

m 

0 

m 

IT] Page 4 of 4 00 Total , 37 Displayed , 7 


Figure 3-31 New catalog successfully loaded and active 


Depending on size of the catalog and system activity, it can take anywhere from 
30 seconds to several minutes. If you do not see the new catalog after a couple 
of minutes, you might want to check the Scheduler, which will give you 
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information about the success or failure of the import task. Figure 3-32 shows a 
failed import task at the bottom of the list because required values (for example, 
the name of an object) were not specified. At that point, the Workplace for 
Business Controls and Reporting administrator checks the original spreadsheet 
for missing required values and performs the upload again after fixing the issue. 



Figure 3-32 Checking catalog import status through the Scheduler 


Editing a catalog entry 

A catalog entry can be edited to change the description or change its status from 
Active to Inactive and vice versa. An inactive catalog is not visible to end users 
for the process import. 

To edit a catalog entry, perform the following steps: 

1 . Navigate to the catalog entry by selecting WBCR Administration -> Import. 

2. Click the Edit icon next to the catalog entry to be edited. 

3. Change the Description if necessary, as shown in Figure 3-33 on page 172. 

4. Change the Status if necessary. 

5. Click OK. 
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Figure 3-33 Editing a catalog entry 


Reimporting a spreadsheet and dynamic update 

IBM Workplace for Business Controls and Reporting allows changes made to a 
spreadsheet to be reimported so that the catalog tables are updated. A reimport 
process also updates any process instance (and its related business elements) a 
business unit owner had associated with a business unit by importing it from that 
catalog. The concept of propagating catalog changes across imported instances, 
is called dynamic update. The following restrictions apply: 

► In order not to overwrite and undo any changes made through the IBM 
Workplace for Business Controls and Reporting application interface by end 
users, only objects that have not changed since being imported will be 
affected by the dynamic update. For example, if a user had modified a risk 
description, a change to that risk in the catalog will not be propagated to that 
particular imported risk instance. 

► New objects added to the catalog will not be propagated to imported 
instances. For example, adding a new subprocess to the catalog will not show 
up under a process instance that was already imported from that catalog. 

► Objects that are removed from the catalog will not be removed from imported 
instances. For example, removing a control from the catalog will not remove 
any imported instances of that control. 

To reimport a catalog, perform the following steps: 

1. Navigate to WBCR Administration -> Import. 

2. Navigate to the page that lists the catalog entry to be reimported. 

3. Click the Reimport icon next to the catalog entry. 

4. If wanted, change the Description field. 
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5. Browse for the updated spreadsheet file and select it. 

6. Click OK. 

7. Click the Back link and Refresh to see the updated status. If necessary, 
check the status of the import task through the Scheduler. 


Note: When using the Workplace for Business Controls and Reporting V2.5.1 

spreadsheet template, new dynamic update rules apply: 

► If new objectives, risks, controls or procedures are added to a catalog and 
reimported, these new items will be added to the Workplace for Business 
Controls and Reporting associated data if the parent of those items had 
already been associated with an organization unit. 

► New processes and subprocesses will not be added to the Workplace for 
Business Controls and Reporting associated data. They must be 
associated through the Ul. 

► Imported items that were subsequently edited in the user interface will only 
be marked as changed (“deviated”) if importable fields were modified. If 
non-importable fields were modified, the item is still eligible for dynamic 
update. 


Sending out notifications when catalogs are imported 

Business unit owners and process owners can be automatically informed when a 
catalog is imported or reimported. There are two notification events related to 
catalog reimports, as shown in the Notification Manager window in Figure 3-34. 



If the second setting, “New Catalog import or existing Catalog reimport,” is 
enabled, business unit owners will be informed when a new catalog is loaded the 
very first time and business unit owners or impacted process owners, or both, will 
be informed when a catalog is reimported. 
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If the first setting is enabled, “Changes caused by a reimport to Process or 
Subprocess, send to Recipient(s),” impacted business unit owners or process 
owners, or both, will receive a separate message for any object possibly 
impacted by a catalog change. In the example scenario (in the following Example 
box), in which three control descriptions changed, the process owner receives 
messages not only to notify about the changes made to the individual controls 
but also separate messages about the potential objectives, risks, subprocesses, 
financial statement line items, and process that might have been impacted. 


Example: The process owner imported an instance of process ABC from a 
catalog. After importing, the process owner assigns control ownership for 
control X to Jim Doe. The process owner also makes a change to control Y by 
marking it as an Automated Control. 

Next, the spreadsheet is updated and changes are made to controls X, Y, and 
Z. After the Workplace for Business Controls and Reporting administrator 
reimports the catalog, only the change in control Z will be reflected under the 
imported instance of process ABC. Impacted owners might receive e-mail 
notifications about changes. 


Note: In the current release, we recommend that you do not enable 
notifications caused by a reimport to process or subprocess. The number of 
messages to a single recipient cannot be restricted, nor is the content of the 
messages particularly useful. Future releases of the product will build on the 
foundation and address this issue more effectively. 


3.5.2 Data import 

The back-end data import utility is used to do a batch upload of process and 
control data and automatically associate the process trees with the relevant 
business units. Data is defined using the Control Import Spreadsheet template 
which uses a very different lay-out and supports different attributes to be 
uploaded. The Data Import utility, however, does not support subsequent 
dynamic updates; data is loaded directly into the back-end IBM Workplace for 
Business Controls and Reporting data model without creating separate catalog 
tables. 

Many customers will already have large parts of their controls documentation 
prepared in spreadsheet formats. In most cases, the layout used will more 
closely match the IBM Workplace for Business Controls and Reporting data 
import format than the hierarchically organized catalog format. In those cases, 
when an organization needs to get up-and-running as quickly as possible and 
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dynamic update is not a current priority, it makes sense to use the back-end data 
import. 

Obtaining the data import utility 

The download package for the data import utility contains the spreadsheet 
template, the download code, the batch file, and extensive instructions for set-up, 
data format, running the utility, and logging. For that reason, in this Redpaper, we 
do not discuss the import process and data format in detail and only provide a 
number of hints and issues requiring special attention. 


Note: You can download the data import utility from: 

ftp://ftp.software.ibm.com/software/1otus/fixes/workplace/WBCR/wbcr2.5_im 
port.zip 


Consider the following items: 

► The utility needs to be run by an IT administrator. In general, this will not be 
the IBM Workplace for Business Controls and Reporting administrator. The 
user performing the import needs to have IBM Workplace for Business 
Controls and Reporting database administration rights and access to the file 
system of a server or workstation with the DB2 Client, DB2 Administrator, or 
DB2 Development Client installed. 

► Data in the spreadsheet is laid out horizontally, where each row essentially 
represents a control or a test procedure. On each row, the related process, 
subprocess, objective, and risk data is repeated. Figure 3-35 on page 176 
shows an abstraction of data layout in this format. 
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Figure 3-35 Abstracted view of data in Import template 


► When imported, the structure shown in Figure 3-35 creates: 

Process 1 under BU 1. Process 1 has two subprocesses. Subprocess 1 has 
two objectives. Risk 1 will be associated with objective 1. Risk 1 has two 
defined controls. Risk 2 is associated with objective 2. Risk 2 has one control. 
Subprocess 2 has one objective that is associated with risk 3. Risk 3 has one 
control defined, and for this control, there are two defined test procedures. 

► Owners for the different object types must be defined. The default is to specify 
user names in e-mail address format (jim_doe@acme.com). If you want to 
specify owners in UID format (jim_doe), change the included properties file 
bcrimporttoolconfig.properties entry for 1 dapmapf rom=mai 1 to 
ldapmapfrom=uid. 

► Financial statement linkage cannot be imported using this method. 

► Business unit structure cannot be imported. The business units in column A of 
the spreadsheet for which the process and control information will be created 
must already exist in IBM Workplace for Business Controls and Reporting. 

► Unlike the catalog import format, the data import format enables you to 
predefine the For Evaluation option on controls in column Q. 

► Unlike the catalog import format, the data import format enables you to 
predefine the Manual/Automated attribute for controls (column AB), and for 
automated controls, the Control Execution Description (column AC). 
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► Unlike the catalog import format, the data import format enables you to 
predefine Procedure Sample Size (column Al). 

► Control Evaluation Test Frequency (column AA) and Procedure Frequency 
(column AG) are not currently used. 

► The import utility performs strict validation on keywords allowed. Customized 
labels (modified or added) cannot be imported as is the case with the catalog 
import format. 


3.6 Versioning and archiving 

Depending on regulations and policies, a customer might, for example, want to 
keep two years’ worth of data online and be able to go back to seven-year old 
data when necessary. 

IBM Workplace for Business Controls and Reporting supports both versioning 
and archiving. 

Versioning provides decision support over time series (versions). It also enables 
testing, evaluations, and auditing to continue in the previous version, while 
starting a new one. Each operating period (quarterly, semi-annually, or annually) 
can have a separate set of data records, each referred to as a version. Versions 
are kept in the online database until archived, and end users can switch to any 
previously created version in the online database. 

Archiving takes one or more versions from the live system and exports each 
selected version, table by table, to a set of files for long-term, offline storage. 
Archive files can be restored to the same database instance if required. Archiving 
is typically an IT administrator’s responsibility. The IBM Workplace for Business 
Controls and Reporting administrator will coordinate with IT to arrange for 
archiving to take place. 

3.6.1 Versioning 

The versioning task is scheduled from the Scheduling portlet. It can run 
periodically according to the fiscal year settings, or you can manually run the 
process as needed. 

After running the versioning task successfully, a new snapshot of the whole 
system at this point in time is created in the database. 

Each individual end user can switch to different versions of the data set from a 
drop-down list on the navigation portlets. The names of the versions represent 
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the time period covered, for example, Version: 03/31/05 - 06/30/05. The default 
version presented to end users is always the current version. 

What happens during versioning 

When the versioning task runs it copies data from the current version’s record 
tables to the corresponding history tables. For example, records in the OrgUnit 
table are copied to the OrgUnit_History table. 

Next, a number of tables are emptied in the current version after the copying 
completes. Notably, the tables that store records related to testing and control 
evaluations are: 

► Control Evaluations 

► Control Observations 

► Samples 

► Sample Remediations 

In addition, the Certification table and the Audit Trail table are cleared. 

After the versioning task is finished, what is now the previous version will contain 
an entire snapshot of the data, including attachments, evaluations, observations, 
test results, certifications, and the audit trail of changes made during that time 
period. What is now the current version will still have all the financial data, 
organizational data, and documentation, but all evaluations, observations, 
certifications, and audit trail data will have been cleared so that testing and 
evaluation for the new financial period can commence. 


Note: In releases prior to IBM Workplace for Business Controls and Reporting 
V2.5.1, even if a next date was set for a control to be evaluated in the next 
financial period or beyond, this date will be blank in the new current version. In 
the IBM Workplace for Business Controls and Reporting V2.5.1 release, when 
a version is created, the IBM Workplace for Business Controls and Reporting 
administrator will be able to control whether: 

► Evaluation data is kept in the current release. 

► Only the next control evaluation date is kept in the current release. 

See the global settings in “Additional global settings in IBM Workplace for 
Business Controls and Reporting V2.5.1” on page 145. 
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Access control and previous versions 

In general, the same access rights apply to the versioned data as assigned. 

However, the following rules apply: 

► Access control lists (ACLs) cannot be edited. The owner or delegate of a 
business object cannot change the ownership or delegated ownership in the 
versioned data. 

► Edits to documentation data is determined by the global settings for the 
Documentation Complete and Process Documentation Complete settings. If 
Documentation Complete is enforced, no edits are allowed on the 
documentation data for a process that has Documentation Complete. This is 
identical to edit access in the current version’s documentation data. 

► Creating new objects is not allowed in versioned data. However, evaluations 
and observations can still be done. New samples and remediations and 
attachments can still be created for test procedures. 


Important: When versioned data is being accessed the current ACL applies. 
ACL tables are not versioned. The implications are best illustrated with an 
example. If Jim Doe owns the EMEA business unit but is relocated to become 
the executive for the Asia Pacific Business unit, we would change his 
ownership in the current version. Jim would no longer be able to see and 
access the EMEA unit, but would now have access to the Asia Pacific unit. 
When Jim now selects a previous version of the data, we want him to be able 
to look at historic data for the Asia Pacific unit, but no longer be able to see the 
EMEA unit. Applying current ACLs to versioned data implements this key 
functionality. 


Defining the financial year for automated versioning 

Versions can either be created on a schedule and run automatically, or be 
initiated at any moment manually by the Workplace for Business Controls and 
Reporting administrator. 

In order to run the versioning task in an automated fashion, the fiscal year start 
and end dates need to be defined. Perform the following steps (see Figure 3-36 
on page 180): 

1. Navigate to WBCR Administration -» Company Settings -> Fiscal Year. 

2. Click Edit to enter or modify the current reporting year. 

3. For each quarter, enter (or select from the date selector) an end date and a 
close date. Quarter end date is used to determine the automated versioning 
schedule. The versioning task will run one day after the end date. The quarter 
close date is informative only. 

4. Click OK to save the fiscal year settings or Cancel to return. 
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Figure 3-36 Defining the fiscal year 


We discuss the scheduling of the versioning task in 3.7.1, “Scheduling 
versioning” on page 183. 


3.6.2 Archiving 

Archiving works on versioned data and takes a snapshot of the data model, 
including all business objects, attachments, users, labels, access control, and 
audit trails. All data, after it is archived, will be read-only: no edits, creates, 
deletes can be made. 

The archive utility is a command line utility, exporting data table by table to a set 
of files and is typically done by an IT administrator. For detailed instructions 
about how to configure archiving and how to run the archive utility, refer to the 
IBM Workplace for Business Controls and Reporting Information Center. 

The Archive utility provides the following functions: 

1. Archives data from the IBM Workplace for Business Controls and Reporting 
database to files: 

a. When the Archive script is launched, the IT administrator can select to 
archive the Active (current) version or History version. 

b. If History is selected, the next prompt shows the eligible versions. The 
administrator can select one or more History versions to be archived. 

2. Deletes archived data from the IBM Workplace for Business Controls and 
Reporting active database. 

If History versions are being archived, the IT administrator can select to have 
this data removed from the IBM Workplace for Business Controls and 
Reporting active database after archiving. 
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Note: The current version can be archived but cannot be removed from the 
IBM Workplace for Business Controls and Reporting active database. 


3. Restores data from files to the Workplace for Business Controls and 

Reporting active database: 

- Versions can only be restored to the active Workplace for Business 
Controls and Reporting database. 

- If versions need to be restored to a different IBM Workplace for Business 
Controls and Reporting system, first make a backup of the active system 
and then restore the original database to the new IBM Workplace for 
Business Controls and Reporting instance before restoring versions using 
the archive utility. 


Note: Users should not be accessing the active Workplace for Business 
Controls and Reporting database when versions are being archived to avoid 
possible conflicts. 


3.7 Scheduler 

The IBM Workplace for Business Controls and Reporting Scheduler, or Async 
Manager, leverages the WebSphere Application Server Scheduler Programming 
Model Extension (PEM), which enables a timer service with high performance, 
high availability, persistence, and transactional scheduling. 

The Scheduler component in the IBM Workplace for Business Controls and 
Reporting administration interface is used to: 

► Schedule and monitor versioning 

► Track progress and status of catalog reimports 

► Track progress and status of removing catalogs 

► Schedule and monitor mail notifications 


Note: With the separation of the WebSphere Portal administration functions 
and IBM Workplace for Business Controls and Reporting administration 
functions in IBM Workplace for Business Controls and Reporting V2.5.1, the 
Scheduler will no longer be available to the Workplace for Business Controls 
and Reporting administrator and will only be accessible with WebSphere 
Portal administrator rights. 


Chapter 3. IBM Workplace for Business Controls and Reporting administration 181 







Figure 3-37 IBM Workplace for Business Controls and Reporting Scheduler portlet 


As shown in Figure 3-37, the Scheduler enables you to see the current status of 
the four tasks, the scheduled frequency, the next run date, last run date, task 
messages, the task log. The last column shows possible actions the 
administrator can take. Consider the following details: 

► Running tasks can be suspended and later resumed. 

► Only tasks that are not currently running can be cancelled. Scheduled tasks 
can be cancelled and, if required, deleted. 

► Import Data and Delete Import Data refer to catalog imports (not a back-end 
data import that is run from the command line). These are always set to run 
one time and will be scheduled automatically to run as soon as possible when 
a catalog is imported by the Workplace for Business Controls and Reporting 
administrator, as described in “Importing the spreadsheet” on page 169. 


Note: In the current release, clicking the log icon will only provide the start 
date and time, the end date and time, and the task status for any given 
instance. Detailed log information is generally in the standard system logs 
(systemErr.log, systemOut.log, and wps_yyyy.mm.dd.hh.ss.log). 
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3.7.1 Scheduling versioning 

To schedule the versioning task, perform the following steps (see Figure 3-38): 

1. Navigate to WBCR Administration -»Scheduler. 

2. Click the Version Data link. 

3. Select Automatically to create versions based on the fiscal year settings, as 
defined in “Defining the financial year for automated versioning” on page 179. 
If Automatically is selected, define whether versioning should take place: 

- Quarterly 

- Semi-annually 

- Yearly 

4. Select Version data based the selected dates and times to manually 
define a one time run for the versioning task: 

- Optionally pick a value for One time, Quarterly, Semi-annually, or Yearly 
as a reminder, or leave the default as One time. 

- Specify the specific date and time by entering or picking value from the 
calendar and time selector. 

5. Click OK to save or Cancel to return to the IBM Workplace for Business 
Controls and Reporting Scheduler. 

To schedule the versioning task to create a version semi-annually based on the 
fiscal year settings, your window should look like the sample shown in 
Figure 3-38. 
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3.7.2 Scheduling mail notifications 

Only the passive mail notification events (due and overdue control evaluations) 
are explicitly scheduled through the Scheduler portlet. All other enabled 
notification events are triggered directly when users make changes. 

To schedule the time of day when the system will send due and overdue 
messages for control evaluations, perform the following steps: 

1 . Select the Notifications link from the Scheduler. 

2. Specify a time of day by entering a value or picking it using the time selector. 
We recommend scheduling this task to run at off-peak hours or outside office 
hours, because a large number of e-mails can potentially be sent. 

3. Click OK to save or Cancel to return to the IBM Workplace for Business 
Controls and Reporting Scheduler. 

With the settings defined as shown in Figure 3-39, the due and overdue 
notifications will be collected and sent each day at 02:15 a.m. 


Scheduler 

\ OK Cancel 

Figure 3-39 Scheduling due and overdue notifications to be sent at 02:15 a.m. 
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Implementation overview 
and deployment 
considerations 


This chapter is intended as a high-level overview of basic architecture and 
deployment considerations for IBM Workplace for Business Controls and 
Reporting. This is not intended to be a detailed deployment, configuration, or 
installation guide. 

In this chapter, we introduce: 

► Application components overview 

► Architecture examples 

► IT administrator skills 

► Hosting option overview 


© Copyright IBM Corp. 2005. All rights reserved. 
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4.1 Application components overview 

IBM Workplace for Business Controls and Reporting is a browser-based 
application built on open standards such as J2EE and Web services that 
leverage IBM market-leading middleware to provide a framework to deliver the 
IBM Workplace for Business Controls and Reporting product functionality. 

When you purchase IBM Workplace for Business Controls and Reporting, limited 
licenses for all the IBM underlying technology is included for use in relation to 
IBM Workplace for Business Controls and Reporting. Crystal Reports is shipped 
in the box with five complementary licenses. See your local IBM Sales 
representative for additional licensing needs. 

Software components 

In this section, we review at a high level each of the software components used 
with IBM Workplace for Business Controls and Reporting and explain how they 
are used. At the time this Redpaper was written, IBM Workplace for Business 
Controls and Reporting was shipping and available on two operating platforms: 

► Microsoft Windows® 

► IBM AIX® 5L™ 

For detailed system requirements or current platform support, refer to the IBM 
Workplace for Business Controls and Reporting Information Center: 

http://www.lotus.com/ldd/notesua.nsf/ddaf2e7f76d2cfbf8525674b00508d2b/36b49 

62eld7518fe85256ffl006dbac9 

Database 

The underlying IBM DB2 database is where all the IBM Workplace for Business 
Controls and Reporting application data and WebSphere Portal data are stored. 
The current version ships with DB2 Universal Database™ (UDB) Enterprise 
Server Edition. 

When looking at the infrastructure for the application, you need to decide where 
you want to store and manage attachments with IBM Workplace for Business 
Controls and Reporting. You can either store attachments on a file system, or 
within DB2 Content Manager. 

A few questions to ask to help determine which one to use are: 

► Are you planning on providing a highly available system through clustering? 

► Do you plan on having a large volume of sizable attachments within the 
application? 
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► Does your organization have a DB2 Content Manager deployment that you 
want to leverage for this installation? 

If you answer yes to any of these questions, you will want to implement DB2 
Content Manager as the back-end repository for the application and 
attachments. DB2 Content Manager provides the high-end features needed to 
support those types of functions and is configured during the installation of IBM 
Workplace for Business Controls and Reporting. 

LDAP 

For user authentication in IBM Workplace for Business Controls and Reporting, 
you have two options. The application can leverage an existing LDAP directory 
that your company has implemented and is using for other applications, or IBM 
Tivoli® Directory Server ships in the box if you want to manage users and access 
from the application. 

The following LDAP directories are supported: 

► IBM Lotus Domino Server 

► IBM Tivoli Directory Server 

► Microsoft Active Directory 

► Sun™ Java™ System Directory Server (formerly Sun ONE™ Directory 
Server) 

► Novell eDirectory 
A few considerations: 

► You or someone in your organization will need to make several additions to 
the directory, so ensure that you have appropriate access to the LDAP server. 

► Because many companies secure their LDAP directory behind firewalls, 
ensure that you can reach the LDAP server from the new servers that you are 
installing. 

WebSphere Portal 

IBM Workplace for Business Controls and Reporting is installed and run on IBM 
WebSphere Portal server. WebSphere Portal is the application that is used for 
the user interface, look and feel, security and access control, and application 
integration capabilities. 

WebSphere Portal is an enterprise application that runs on the IBM 
standards-based J2EE application server, IBM WebSphere Application Server. 
WebSphere Portal is installed with everything that it needs to run, including 
WebSphere Application Server and IBM HTTP Server. 
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A few considerations: 


► After WebSphere Portal is installed and running, you need to configure it to 
work with both DB2 and LDAP. 

► If you are planning to use an external HTTP server (for example, outside of 
the firewall), delay this step until after IBM Workplace for Business Controls 
and Reporting is installed. 

Reports 

At the time this Redpaper was written, IBM Workplace for Business Controls and 

Reporting ships with five licenses of Crystal Enterprise. If you decide to 

implement Crystal as your reporting engine, this component is used to run the 

Executive View, any of the out-of-box standard reports, and any custom reports 

you might add to the system. 

A few considerations: 

► Crystal will need to be configured to work with the DB2 application. This 
consists of creating a database and an ODBC connection to that database. 

► Crystal needs an HTTP server to communicate with the users’ browsers. For 
this, install IBM HTTP Server. The Information Center outlines specific 
version and fix packs. 

► After Crystal is installed, you need to upload the standard IBM Workplace for 
Business Controls and Reporting reports to the server. In addition, any time 
you create a custom report, you need to upload them to the Crystal server so 
that they are available. See Appendix B, “Adding custom reports” on 

page 201. 


4.2 Architecture examples 

This section illustrates a few examples of configuration options for IBM 
Workplace for Business Controls and Reporting. We recommend discussing and 
planning an architecture with an experienced deployment specialist to determine 
how to handle your unique requirements. 


4.2.1 IBM test environment 

Figure 4-1 on page 189 illustrates an example of a four server installation used in 
an IBM development test environment. 
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DB2 


Crystal 


Application DB 
Portal DB 

2 * 2.8 GHZ 
4 GB Memory 
RAID 5 


1 GB Private Ethernet Network 


PORTAL - WBCR 
IHS 


4 * 3.0 GHZ 
4 GB Memory 


2 * 1.2 GHZ 
2 GB Memory 



WBCR = Workplace for Business Controls and Reporting 
IHS = IBM HTTP Server 


Figure 4-1 Development test environment 


In the deployment test environment shown in Figure 4-1: 

► Server 1: WebSphere Portal, Workplace for Business Controls and 
Reporting, IBM HTTP Server 

This server contains the required HTTP server and the WebSphere Portal 
server with IBM Workplace for Business Controls and Reporting installed on 
top of it. 

► Server 2: DB2 

The DB2 server has its own dedicated server for tuning and performance 
reasons. It contains both application and WebSphere Portal data. 

► Server 3: Crystal 

The third server in this configuration is dedicated to the reports server. It is 
possible to consolidate this server with another. We recommend working with 
IBM Services to determine the best combination. 

► Server 4: LDAP 

Finally, a separate LDAP server can provide user credentials to allow for 
authentication into the WebSphere Portal and ultimately the IBM Workplace 
for Business Controls and Reporting application. Many companies choose to 
leverage an existing LDAP directory. 

This entire environment is located on a private network without any firewalls and 
provides a simple configuration in which to manage connections. 
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4.2.2 Accessing a large-scale deployment from the Internet 

The implementation example that follows in Figure 4-2 is of a large installation at 
a company that allows their users to access the IBM Workplace for Business 
Controls and Reporting system through the Internet. 

All the servers on the left side of this diagram are inside the corporate firewall. 
You will also notice that each of the components have been broken out onto 
individual servers; this was done for the scalability of the application. 

Because this is a large installation with high-volume usage, notice that DB2 
Content Manager was installed to manage and store the attachments for the 
application. 

The HTTP server is in the DMZ so that it can receive and route the requests from 
the Internet to the IBM Workplace for Business Controls and 
Reporting/WebSphere Portal server behind the firewall. 



Figure 4-2 Accessing IBM Workplace for Business Controls and Reporting from the Internet 
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4.2.3 Small configuration example 

In Figure 4-3, you will notice that several components have been combined. This 
sample architecture was built at a small company that has a small set of users. 
However, based on the need for high availability requirements, they implemented 
DB2 Content Manager for this scenario. 

You will also notice that this company did not have an existing corporate LDAP 
directory to leverage, so they installed a contained LDAP server for this 
installation and combined this component with the Crystal Enterprise Server 
component on one box. 



4.3 Expertise and skills required 

This section is intended for organizations that are not using hosting and plan to 
provide their own IT infrastructure to support IBM Workplace for Business 
Controls and Reporting. 
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There are two options you have for securing IBM Workplace for Business 
Controls and Reporting for your company. You can either install the application 
in-house, or IBM provides a hosted offering of IBM Workplace for Business 
Controls and Reporting if you do not want to maintain the infrastructure for the 
application. In this section, we list the administration skills required to run the 
application, provide an overview of the hosted solution, and provide references 
for education options. 

The following general prerequisites apply to administrators who will be in charge 
of the on-going deployment, configuration, and maintenance of the Workplace for 
Business Controls and Reporting components in an IT infrastructure. Preferred 
administrator job skills include: 

► IBM WebSphere Portal administration skills 

► Relational database administration skills, preferably DB2 

► IBM DB2 Content Manager administration skills (if implemented) 

► General knowledge of the IBM Lotus, WebSphere, and DB2 technologies 

► Skills in the operating systems being used (Microsoft Windows 2000 Server, 
AIX 5L, and so on) 

► LDAP concepts 

► Java skills 


4.3.1 Hosting 

IBM offers a hosted solution for IBM Workplace for Business Controls and 
Reporting. By choosing this option, you forgo the need to set up hardware and 
complete the installation and configuration of the system. A customer system can 
be up and running in 4 hours to 2 days, ready for you or IBM to load your 
organization structure and documentation into the application. Within 5 to 10 
days, you should be ready for production level use. 

For more information, contract your local IBM Sales Representative. 

4.3.2 Classroom courses for system administrators 

The following classes are available for system administrators: 

► IBM WebSphere Application Server V5.1 Administration, SW246, 4 days 

http://education.lotus.com/rw/lewwschd.nsf/5816175A047CE7BA852565C2005B6933 

/8D023B6AA4B0449C85256EBD0072D64B?0penDocument 
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► IBM WebSphere Portal 5.0 Administration, SW532, 3 days 

http://education.lotus.com/rw/lewwschd.nsf/5816175A047CE7BA852565C2005B6933 

/6025055FF0A57F3985256E590057273E?0penDocument 

► DB2 Universal Database Administration Workshop for Windows, CF231, 

3 days 

http://www-304.ibm.com/jct03001c/services/1earning/ites.wss/us/en?pageType= 
course_description&courseCode=CF231 

► IBM DB2 Content Manager V8 Implementation and Administration, IM401, 

4 days 

http://www-304.ibm.com/jct03001c/services/1earning/ites.wss/us/en?pageType= 
course_description&courseCode=IM401 

► Crystal Reports Design and Administration 
http://www.businessobjects.com/services/training/default.asp 

4.3.3 Related Redbooks 

Refer to the following IBM Redbooks for more information: 

► WebSphere Product Family Overview and Architecture, SG24-6963 
http://www.redbooks.ibm.com/abstracts/sg246963.html 

► WebSphere Portal V5.0 Production Deployment and Operations Guide, 
SG24-6391 

http://www.redbooks.ibm.com/abstracts/sg246391.html 

► IBM WebSphere Application Server V5.1 System Management and 
Configuration, WebSphere Handbook Series, SG24-6195 

http://www.redbooks.ibm.com/abstracts/sg246195.html 

► IBM WebSphere Portal for Multiplatforms V5 Handbook, SG24-6098 
http://www.redbooks.ibm.com/abstracts/sg246098.html 

► WebSphere Portal Server and DB2 Information Integrator: A Synergistic 
Solution, SG24-6433 

http://www.redbooks.ibm.com/abstracts/sg246433.html 

► DB2 UDB V8 and WebSphere V5 Performance Tuning and Operations 
Guide, SG24-7068 

http://www.redbooks.ibm.com/abstracts/sg247068.html 

► Content Manager Implementation and Migration Cookbook, SG24-7051 
http://www.redbooks.ibm.com/abstracts/sg247051.html 
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► Performance Tuning for Content Manager, SG24-6949 

http://www.redbooks.ibm.com/abstracts/sg246949.htnil 

► Content Manager Backup/Recovery and High Availability: Strategies, 
Options, and Procedures, SG24-7063 

http://www.redbooks.ibm.com/abstracts/sg247063.html 
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A 


IBM Workplace for Business 
Controls and Reporting 
V2.5.1 Federal template 


This appendix describes how IBM Workplace for Business Controls and 
Reporting V2.5.1 provides specific support for federal agencies using a Federal 
template that applies label changes to support Government Accountability Office 
(GAO) standards, allows federal financial statements to be defined, and supports 
generating Statements of Assurance. 
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Background 

Circular NO. A-123 Revised issued by the Office of Management and Budget 
(OBM) provides guidance to federal managers on improving the accountability 
and effectiveness of federal programs and operations by establishing, assessing, 
correcting, and reporting on internal control. The revised circular provides 
updated internal control standards and new specific requirements for conducting 
management’s assessment of the effectiveness of internal control over financial 
reporting. The revision to the circular will become effective in fiscal year 2006 
and agencies are urged to take steps toward compliance in fiscal year 2005. 

Specifically, agencies and individual federal managers must take systematic and 
proactive measures to: 

► Develop and implement appropriate, cost-effective internal control for 
results-oriented management. 

► Assess the adequacy of the internal control in federal programs and 
operations. 

► Separately assess and document internal control over financial reporting. 

► Identify needed improvements. 

► Take corresponding corrective action. 

► Report annually on internal control through management assurance 
statements. 


How IBM Workplace for Business Controls and 
Reporting 2.5.1 addresses specific federal requirements 

IBM Workplace for Business Controls and Reporting gives organizations an 
excellent framework for documenting and assessing internal control over 
operations and financial reporting. IBM Workplace for Business Controls and 
Reporting V2.5.1 provides a Federal template that implements some of the 
specific federal requirements and provides out-of-the-box support for Revision to 
Circular A-123. 


Template provides GAO terminology 

The IBM Workplace for Business Controls and Reporting Federal template 
applies the General Accountability Office (GAO) terminology, specifically where 
the standard template references the COSO framework and components, the 
Federal template references this as GAO Control Standards throughout the 
application. 
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The standard deficiency impact ratings have been changed to more closely 
reflect the federal terminology: 

► Non-Conformance 

► Control Deficiency 

► Reportable Condition 

► Material Weakness 


Template supports federal financial statements 

Standard IBM Workplace for Business Controls and Reporting enables you to 
create three consolidated financial statements (income statement, balance 
sheet, and disclosures) and establish linkage between significant line items and 
subprocesses. 

The IBM Workplace for Business Controls and Reporting Federal template 
supports up to 10 financial statements, among which are the six basic 
statements as outlined in OMB Bulletin 01-09: 

► Balance Sheet 

► Statement of Change to Net Cost 

► Statement of Changes in Net Position 

Additional columns are available to accommodate the two components that 
affect net position: Cumulative Results of Operation and Unexpended 
Appropriations. See the sample in Figure A-1 on page 198. 

► Statement of Budgetary Resources 

Additional columns are available to accommodate the two components that 
affect budgetary resources: Budgetary and Non-budgetary Credit Program 
Financing Accounts. 

► Statement of Financing 

► Statement of Custodial Activity 


Appendix A. IBM Workplace for Business Controls and Reporting V2.5.1 Federal template 
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Departmenl/Agencv/Reporting Entity 
CONSOLIDATED STATEMENT OF CHANGES IN NET POSITION 
For the years ended September 30, 20\2 and 20x1 
(in dollars/thousands/millions) 

20x2 20x2 20x1 20x1 

Gimulative Cumulative 

fesults Unexpended Results Unexpended 

olODerations Appropriations of Operations Appropriations 


1. Beginning Balances $ xxx 

2. Prior period adjustments (+/-) xxx 

3. Beginning balances, as adjusted xxx 

Budgetary Financing Sources 

4. Appropriations received 

5. Appropriations transferred-in/out (+/-) 

6. Other adjustments (rescissions, etc) (+/-) xxx 

7. Appropriations used xxx 

8. Nonexchange revenue xxx 

9. Donations and forfeitures of cash 

and cash equivalents xxx 

10. Transfers-in/out without reimbursement (+/-) xxx 

11. Other budgetary financing sources (+/-) xxx 

Other Financing Sources: 

12. Donations and forfeitures of property xxx 

13. Transfers-in/out without reimbursement (+/-) xxx 

14. Imputed financing from costs absorbed by others xxx 

15. Other (+/-) xxx. 

16. Total Financing Sources xxx 


xxx. 


Figure A-1 Sample statement of Net Position with additional columns 


Support for Statement of Assurance 

According to Revised Circular NO. A-123, management is required in its 
assurance statement on the internal controls over financial reporting to state a 
direct conclusion about whether the agency’s internal controls over financial 
reporting are effective. 

The IBM Workplace for Business Controls and Reporting Version 2.5.1 Federal 
template includes additional reporting capabilities to generate the following three 
Statement of Assurance (SoA) reports: 

► Unqualified Statement of Assurance (no material weaknesses reported). 
Figure A-2 on page 199 shows a sample unqualified statement of assurance. 
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Is responsible for establish] 
cial reporting, which inclu 
liance with applicable laws and regulations. T1 
mt of the effectiveness of the [Agency 7 s] inter 
t w n accordance with QMB Circular A-i23, 


al reporting as of June 30, 2xxx wj 


■ operation of the internal cor 


Figure A-2 Sample of Unqualified Statement of Assurance 


► Qualified Statement of Assurance (one or more material weaknesses 
reported). This report includes a list of material weaknesses and 
non-conformances observed alongside a summary of corrective action. 

► Statement of no assurance (no processes in place or pervasive material 
weaknesses). 
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B 


Adding custom reports 


In IBM Workplace for Business Controls and Reporting V2.5.01 and later, you 
can add new custom reports to the list of standard reports that come with the 
product. Writing custom reports requires in-depth knowledge of the IBM 
Workplace for Business Controls and Reporting data model, skills to write SQL 
statements, and general report designer skills using the reporting engine your 
organization deploys with IBM Workplace for Business Controls and Reporting. 
For more information about the IBM Workplace for Business Controls and 
Reporting data model, see the IBM Workplace for Business Controls and 
Reporting Information Center. The creation of new reports is beyond the scope of 
this paper. We do, however, create a new report based on an existing report and 
discuss the general concepts involved in creating custom reports. This appendix 
also provides the IBM Workplace for Business Controls and Reporting 
administrator with instructions about how a new report can be added to the IBM 
Workplace for Business Controls and Reporting user interface. Finally, we 
provide an additional sample report for certification status. 


© Copyright IBM Corp. 2005. All rights reserved. 
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Auditor Observations sample 

Workplace for Business Controls and Reporting comes with a standard report, 
Observations and Recommendations, that lists all the controls for a business unit 
(and its dependent units) selected by the user. The report never shows controls 
to which the user has no access. The standard report, however, only contains 
control owner observations and recommendations, not the observations created 
by (external) auditors through the Auditor Observation functionality. In fact, there 
is no current report that lists these observations, and users could only see these 
by navigating the tree and checking whether individual controls have auditor 
observations. 

As an example, we adapt a copy of the existing report and add it to the 
Workplace for Business Controls and Reporting user interface as a new custom 
report called Auditor Observations. 

Four different report versions 

For every report you want to make available, you will, in general, create four 
different versions. For performance reasons, two of these versions circumvent 
the Workplace for Business Controls and Reporting ACL tables if the user has 
owner access at the selected business unit level or above that level. Also, a user 
might want to generate reports for previous versions of the data set. If a user first 
selected a previous version and subsequently runs a report, different tables (the 
History tables) will have to be accessed in the back-end database. This results in 
four different versions of a report. Which one is going to be generated will be 
completely transparent to end users. Following the Workplace for Business 
Controls and Reporting naming convention, which allows the system to identify 
the correct report version, we create the versions shown in Table B-1 to 
implement the custom report for Auditor Observations. 


Table B-1 Four report versions 


Report template name 

When used 

AuditorObservations 

Used with current version when ACL needs to be 
observed. 

A/a4c/AuditorObservations 

Used with current version when user owns 
selected business unit or business unit above. 

TforAuditorObservations 

Used with previous version when ACL needs to be 
observed. 

No A c / His ^AuditorObservations 

Used with previous version when user owns 
selected business unit or business unit above. 


202 


IBM Workplace for Business Controls and Reporting: Administration and Operations Best Practices 




In the following section, we outline the steps to create the 
NoAclAuditorObservations version, which is the easiest to customize. Creating 
the additional three reports is very similar. All four finished reports will be 
available as additional material with this Redpaper. If you do not want to 
re-create the reports yourself, you can copy the reports to the Workplace for 
Business Controls and Reporting template directory on the Crystal 10 server (for 
example, c:\Report Templates) and skip to “Publishing the new report to Crystal 
Enterprise 10” on page 208 to just publish the finished reports. 

Note: We use Business Objects Crystal Reports 10. Instructions for using 

alternative report designer tools and reporting engine will be different. 


Steps to customize a report based on an existing report 

To customize a report based on an existing report, perform the following steps: 
1. Launch Crystal Reports 10. On the Welcome window, click More Files, as 
shown in Figure B-1. 



Figure B-1 Crystal Reports 10 Welcome window 
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2. Browse to the directory where the Workplace for Business Controls and 
Reporting standard report templates are installed, for example, c:\Report 
Templates. 

3. Open the existing report template NoAclObservations.rpt, as shown in 
Figure B-2. 



Figure B-2 Opening the standard report for Control Observations 

4. We first make changes to the SQL command. To edit the SQL command, 
select Database -> Database Expert. 

5. On the next window, right-click the command and select Edit. You will now 
see the SQL on the left side of the window, as shown in Figure B-3. 



Figure B-3 SQL command and parameters in edit mode 
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Notice the parameters on the right side. These are the values passed on to 
Crystal Reports by Workplace for Business Controls and Reporting, and in 
general, will include the selected business unit ID, the version ID (-1 for the 
current version), and the user’s locale (enJJS for English). In a report version 
that needs to observe the ACL, you will also see a parameter for the current 
user ID. The report we are currently modifying is the only standard report that 
uses the argO parameter. It is used to pass a user-selected value to show All 
Controls, only Controls with Deficiency, Significant Deficiency, or Material 
Deficiency. The default is to show All Controls; even those for which no 
observations were made. 

The mechanism to make custom reports available to the Workplace for 
Business Controls and Reporting end users does not currently support the 
use of this additional parameter argO, so in our custom report for Auditor 
Observations, we always show only those controls for which auditor 
observations were made, regardless of the impact rating. 

6. Select argO in the parameter list and click Remove. 

7. In the SELECT statement, add the following value to extract the auditor’s 
name who made the observation so that we can include that in the report: 
"V_CTRLOBSV"."OBSERVEDBY" 

8. In the FROM statement, locate the following part: 

"V_LABEL" ON "V_CTRLOBSV"."IMPACT"="V_LABEL"."KEY") 

RIGHT OUTER JOIN 

"WBCR"."V_C0NTR0L" "V_C0NTR0L" 

9. Change the previous statement from a RIGHT OUTER JOIN to an INNER JOIN to 
exclude all controls for which no observations were made: 

"V_LABEL" ON "V_CTRLOBSV"."IMPACT"="V_LABEL"."KEY") 

INNER JOIN 

"WBCR"."V_C0NTR0L" "V_C0NTR0L" 

10.On the next line in the FROM statement, change "Type"=0 to "Type" = l to 
select the auditor observations rather than the control owner observations: 

ON ("V_CTRLOBSV"."PARENTID"="V_CONTROL"."ID" AND "V_CTRLOBSV"."TYPE"=1) 

11 .In the WHERE statement, remove the entire line that refers to the argO 
parameter that was used for user-selected filtering: 

AND ("V_CTRLOBSV"."IMPACT"={?argO) OR {?argO}='wbcr.report.parameter.all') 
Your modified SQL will now look like the SQL shown in Example B-1 on 
page 206. 
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Example: B-1 Modified SQL for NoAci version of Auditor Observations report 

SELECT DISTINCT "V_CONTROL"."NAME", 

"V_CTRLOBSV"."DEFICIENCY", 

"V_CTRLOBSV"."IMPLICATION", 

"V_CTRLOBSV"."RECOMMENDATION", 

"V_CTRLOBSV"."IMPACT", 

"V_CTRLOBSV"."OBSERVEDBY", 

"V_0RGTREE"."NAME_STR", 

"V_PR0CESS"."NAME", 

"V_SUBPROCESS"."NAME", 

"V_SUBPROCESS"."ID", 

"V_C0NTR0L"."ID", 

"V_0RGTREE"."ANCESTOR", 

"V_CTRLOBSV"."MITIGATION", 

"VJJSER"."FIRSTNAME", 

"V_USER"."MIDNAME", 

"V_USER"."LASTNAME", 

"V_LABEL"."VALUE", 

"V_0RGTREE"."VERSIONID", 

"V_C0NTR0L"."VERSIONID", 

"V_PR0CESS"."VERSIONID", 

"V_SUBPROCESS"."VERSIONID", 

"VJJSER"."VERSIONID", 

"V_LABEL"."LOCALE", 

"V_CTRLEVAL"."EFFECTIVE" 

FROM ((((("WBCR"."V_ACL" "V_ACL" 

INNER JOIN ("WBCR"."V_CTRLEVAL" "V_CTRLEVAL" 

RIGHT OUTER JOIN (("WBCR"."V_CTRLOBSV" "V_CTRLOBSV" 
FULL OUTER JOIN "WBCR"."V_LABEL" 
"V_LABEL" ON "V_CTRLOBSV"."IMPACT"="V_LABEL"."KEY") 

INNER JOIN 

"WBCR"."V_CONTROL" "V_CONTROL" 

ON ("V_CTRLOBSV"."PARENTID"="V_CONTROL"."ID" AND "V_CTRLOBSV". "TYPE"<>0) 

AND 

("V_CTRLOBSV"."VERSIONID" = "V_CONTROL"."VERSIONID")) 

ON ("V_CTRLEVAL"."VERSIONID"="V_CONTROL"."VERSIONID") 
AND ("V_CTRLEVAL"."PARENTID"="V_CONTROL"."ID")) 

ON "V_ACL"."RESID"="V_CONTROL"."ID") INNER JOIN "WBCR"."VJJSER" 
"VJJSER" ON "V_ACL"."USERID"="V_USER"."ID") 

INNER JOIN "WBCR"."V_RISK" "V_RISK" ON 
"V_CONTROL"."PARENTID"="V_RISK"."ID") 

INNER JOIN "WBCR"."V_SUBPROCESS" "V_SUBPROCESS" ON 
"V_RISK"."PARENTID"="V_SUBPROCESS"."ID") 

INNER JOIN "WBCR"."V_PROCESS" "V_PROCESS" ON 
"V_SUBPROCESS"."PARENTID"="V_PROCESS"."ID") 

INNER JOIN "WBCR"."V_ORGTREE" "V_ORGTREE" ON 
"V_PROCESS"."PARENTID"="V_ORGTREE"."ID" 

WHERE 
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"V_ORGTREE"."ANCESTOR"={?BCR_ORG_ID} 

AND "V_ORGTREE"."VERSIONID"={?BCR_VERSION_ID} 

AND "V_SUBPROCESS"."VERSIONID"={?BCR_VERSION_ID} 

AND "V_CONTROL"."VERSIONID"={?BCR_VERSION_ID} 

AND "V_PROCESS"."VERSIONID"={?BCR_VERSION_ID} 

AND "V_USER"."VERSIONID" = {?BCR_VERSION_ID} 

AND "V_RISK"."VERSIONID"={?BCR_VERSION_ID} 

AND "V_ACL"."VERSIONID"={?BCR_VERSION_ID} 

AND ("V_LABEL"."LOCALE" IS NULL OR "V_LABEL"."LOCALE"= 1 {?BCR_LOCALE}') 
AND "V_CONTROL"."DELETED" = 0 
AND "V_ACL"."OWNER" = 1 
AND "V_ORGTREE"."SCOPE" <> 

'wbcr.orgunit.1abel.scope.aggregated_not_important 1 


12. Click OK to save the modified SQL statement. 

13. The SQL will need to be executed once now, so you will be asked to provide 
the Workplace for Business Controls and Reporting database administrator 
user name and password on the next window. Click Finish to go to the next 
window. 

14. You now need to provide the following three parameter values: 

- BCR_0RG_ID = 16,000,000,000,001 

(the internal ID of your top business unit) 

- BCR_VERSI0N_ID = -1 
(the current version) 

- BCR_L0CALE = enJJS 

15. Click OK. 

16. You are now back on the Database Expert window. Click OK. 

17.0n the Report Design window, change the Report Title to Auditor 

Observations and Recommendations by double-clicking in the original field 
and changing the text. 

18.Change the Owner label in the Report heading to Observed By. 

19.Select the field labeled @ExtUserlD-display and click Delete. 

20. In the Field Explorer on the far right side of the window, expand Database 
Fields -> Command. Drag the field OBSERVEDBY onto the Report window 
and drop it in the spot where you removed the @ExtUserlD-display field, as 
shown in Figure B-4 on page 208. 

21 .Remove the additional field header for OBSERVEDBY. 
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Figure B-4 Adding the OBSERVEDBY field to the report 

22.Click File -» Summary Info and change the Report Title from 

NoAclObservations to NoAclAuditorObservations. The reporting engine 
will use the Report Title to locate the correct version of our report based on 
the parameters passed by Workplace for Business Controls and Reporting 
when the user selects to see the Auditor Observations report. 

23.Select File -» Report Options and make sure that the Save Data with 
Report option is cleared. When the report is saved, we do not want to save 
the parameter values; these will be based on the user context and are passed 
to the reporting engine by Workplace for Business Controls and Reporting. In 
order to ensure that they will be cleared when saving, also generate a 
Preview Sample as described in the next step. 

24.Select File -> Print -> Preview Sample. 

25.Select File Save As to save the modified report. Name the report 
NoAclAuditorObservations.rpt. 

26. Close Crystal Reports 10. 

Publishing the new report to Crystal Enterprise 10 

Next, we publish our custom report to the Crystal Enterprise server. Perform the 

following steps: 

1 . Launch the Crystal Enterprise 10 -> Crystal Publishing Wizard. 

2. Click Next on the Welcome window. 
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3. On the next window, provide the Crystal Administrator user name and 
password and click Next. 

4. Click Add Files. 

5. If necessary, browse to the directory where the templates reside, for example, 
c:\Report Templates and select the NoAclAuditorObservations.rpt file we 
created. 

6. Click Open. 

7. Click Next. 

8. Select the location to which the report will be published and click Next. In a 
standard installation, this will be WBCR, as shown in Figure B-5. 



Figure B-5 Selecting the location for publishing the new report 

9. On the following windows, keep clicking Next to accept all the default 
settings, and complete the publishing process by clicking Finish on the last 
window. 


Making the new report available through the Workplace for Business 
Controls and Reporting interface 

The next stage is to set up Workplace for Business Controls and Reporting so 
that the new report can be selected by end users through the Reports tab. In this 
section, we add a portlet parameter and two custom labels with the Label 
Manager. 
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Adding a portlet parameter 

You will need WebSphere Portal administrator access in order to add a 
parameter to the portlet. If you do not have this access as the Workplace for 
Business Controls and Reporting administrator, coordinate these steps with the 
WebSphere Portal administrator. Perform the following steps: 

1. Log in to the portal as the WebSphere Portal administrator. 

2. Navigate to Administration -> Portlets -> Manage Portlets. 

3. Search for Workplace for Business Controls and Reporting portlets by 
entering WBCR in the Title contains field. 

4. Select the WBCR - Reports Detail portlet and click Modify Parameters. 

5. Define a new parameter, wbcr.reports.custom.Report 1, with the value 
AuditorObservations, as shown in Figure B-6, and click Add. 


□ beanType 

□ DefauItViewType 

in, j 

□ portletBeanClass 

□ helpJSP 


□ crystalAPSHost 

[pb2Logln | 

□ c2a-action-descriptor 

1/wsdl/CatDetail.wGdl | 

wbcr.reports.custom.R 

eportl AuditorObservations [+] Add 



Figure B-6 Adding the portlet parameter 


6. Scroll down and click Save to save the changes. 

Adding the custom labels with Label Manager 

Next, the Workplace for Business Controls and Reporting administrator can add 

the required custom labels. Perform the following steps: 

1. Navigate to WBCR Administration -> User Interface -> Customize Labels. 

2. In the Add label section, select the key for wbcr.reports.custom. In the suffix 
field, type AuditorObservations.title. 

3. In the Value field, type a title that will become the link in the list of reports, for 
example, Auditor Observations. 

4. Click Add label. 

5. In the Add label section, select the key for wbcr.reports.custom. In the 
suffix field, type AuditorObservations.desc. 
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6. In the Value field, type a description that will help the user identify what this 
report will generate, for example, Provides a list of all auditor 
observations and recommendations for the selected Business Unit(s). 

7. Click Add label. 

8. Log out of WebSphere Portal. 

Verifying that the new report works 

Before you can verify whether the Auditor Observations report works, make sure 

that you have a couple of auditor observations. Perform the following steps: 

1. Log in to the portal as a user with the auditors role. 

2. Go to the Evaluation tab. 

3. Drill down into a process until you reach a control. 

4. Click Auditor Observation, fill in the fields on the form, and click Save. 

5. Repeat the previous steps so that you have a couple of observations. 

6. Next, navigate to the Reports tab. Select the top-level business unit and click 
Reports to see the list of standard reports and the new category for Custom 
Reports, which now has the entry for Auditor Observations, as shown in 
Figure B-7 on page 212. 
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Figure B-7 New report is displayed under Custom Reports 


7. Select the Auditor Observations report. Because we are logged in as an 
auditor with global access rights, Workplace for Business Controls and 
Reporting knows that it needs to pass the reporting engine the command to 
use the NoAcI version of our report. The reporting engine uses the business 
unit ID, version ID and user locale parameters to use in the SQL statement, 
generates the report, and passes the formatted HTML back to the Workplace 
for Business Controls and Reporting portlet for display, as shown in 
Figure B-8 on page 213. 
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Figure B-8 Auditor Observetions report 


Note: The report will show the OBSERVEDBY value as, for example, 
uid=jim_doe, cn=users, dc=acme, dc=com. An additional formula will have to 
be applied to this field in Crystal Reports 10 to display the auditor name in a 
more user-friendly format. 


Next steps: Adding the three other versions of the report 

To enable users to also select a business unit they can view for traversability 
reasons but only show these users the Auditor Observations for controls to which 
they have view or edit access, we also need to implement the Acl version of the 
report (AuditorObservations.rpt). 

To enable users to view Auditor Observations in previous versions of the data 
set, we need to implement the report templates (HistAuditorObservations.rpt and 
NoAcIHistAuditorObservations.rpt) that access the History tables. 
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To do this, you follow the same steps as outlined in “Steps to customize a report 
based on an existing report” on page 203 to create the three additional reports. 
You base these on the existing report templates shown in Table B-2. 

Table B-2 Additional files to be created 


Original template 

Save as 

Observations.rpt 

AuditorObservations.rpt 

HistObservations.rpt 

HistAuditorObservations.rpt 

NoAcIHistObservations.rpt 

NoAcIHistAuditorObservations.rpt 


You will notice that the SQL is different for each of these templates. However, the 

similar changes need to be applied in each one of these. Perform the following 

steps: 

1. Add "V_CTRLOBSV". "OBSERVEDBY" for the AuditorObservations template and 
"V_CTRLOBSV_HISTORY". "OBSERVEDBY" for the Hist versions of the templates. 

2. Change RIGHT OUTER JOIN to INNER JOIN. 

3. Change "Type"=0 to "Type"=l. 

4. Remove the line that references argO. 

5. When you save the modified SQL, provide the same parameters you used 
before for WBCR_ORG_ID and BCR_LOCALE. For Acl versions, provide 
45,000,000,000,001 as the value for BCR_USER_ID. For the Hist versions, 
provide 46,000,000,010,001 as the value for BCR_VERSI0N_ID. 

6. Apply the same changes to the report design (Header, OBESERVED BY 
field). 

7. Change the Report Title by selecting File -> Report Summary and provide 
the corresponding value for each of the three templates (the save as file 
name without the .rpt extension). 

8. Save each report with appropriate file name. 

9. Publish the three reports by selecting Crystal Enterprise -> Report 
Publishing Wizard. 
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Note: If you need to remove a report from the Crystal Enterprise 10 server, go 
to Crystal Enterprise -> Crystal Enterprise Admin Launchpad. From there, 
you can launch the Crystal Management Console. Go to Objects, select the 
report to be deleted, and click Delete. This removes the published report, not 
the template .rpt file itself. 

You might also want to use the Crystal Management Console to check 
whether the parameter values are set to <Empty> by clicking the report link 
from the Objects section. Next, go to the Process tab and select Parameters. 
If actual values are shown, d now set the initial values to <Empty> and update 
the report. 


Certification report sample 

A second custom report has been added as an additional sample material for this 
paper. When a user selects this report, it will initially show the certification status 
for the selected business unit and its dependent business units. If a business unit 
was certified, the report will show the date of certification, comments, and who 
certified the business unit. If the business unit was certified multiple times, the 
report will list all certification entries for that unit. Figure B-9 on page 216 shows 
the business unit certification status. 
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Reports Detail 

: Certification Statu 

bl jeeJ [hi 


Org Unit Certification Status 


NA_Operations* > Finance* 


NA_Operations* > Finance* > Treasury Operations 


NA_Operations* > Manufacturing* 


NA_Operations* > Inventory Control’ 


Figure B-9 Business Unit Certification Status 


jid=Celia_Ortez,cn=usi 


The business unit names are hyperlinks, so the user can click a business unit 
name and generate a second report showing the certification status for each 
process that was defined for that business unit, as shown in Figure B-10 on 
page 217. 
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Pi Kg] 15! Excell 


Process Certification Status 
Finance* 


:co unts Receivable* 


7/14/05 

7/14/05 


Need A&l to address 


Compute Current Federal Income Tax Expense 


Imported Catalog Process 




Figure B-10 Following a Business Unit hyperlink shows Process Certification Status 


In this second report, the process names are hyperlinks, so the user can click a 
process name and generate a third report showing the certification status for 
each control that was defined for that process. The user can navigate back to the 
business unit certification report through the breadcrumb trail at the top of the 
report. See Figure B-11 on page 218. 


Note: The certification reports are provided as a sample and include only the 
“NoAci” versions of the templates. The Acl and History versions for these 
reports have not been included. 
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al »qeJ IdI E«cei | 



1/1 

Control Certification Status 

Finance* : Accounts Receivable* 



Access to transactions to modify terms, write-off receivables or transfer accounts to coilection agencies is limited to 


Billing document types are configured to automatically generate and post the associated accounting document 

6/28/05 tested for report uid=wpsadmin,cn= 

Coilection efforts should Include overdue notices, telephone tracking, tickler logs. 


Management compares aged accounts receivable balances to bad debt reserves 



Figure B-11 Following a process hyperlink shows Control Certification Status 


To publish the three reports, copy the following files to the Workplace for 
Business Controls and Reporting templates directory on the Crystal Reports 
server: 

► NoAcICertificationOrg.rpt 

► NoAcICertificationProc.rpt 

► NoAcICertificationCont.rpt 

To publish the reports, follow the steps described in “Publishing the new report to 
Crystal Enterprise 10” on page 208. 

Next, the NoAcICertificationOrg.rpt file needs to be made available through the 
Workplace for Business Controls and Reporting user interface. Note that the 
other two reports do not need to be available from the reports lists because they 
will be only be available through the hyperlink in a generated report. 
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Follow the steps described in “Making the new report available through the 
Workplace for Business Controls and Reporting interface” on page 209 to add 
the report with the following changes: 

► Portlet parameter to be added: wbcr.reports.custom.Report2 

► Parameter value: Certi f i cati onOrg 

► Add the following custom labels and values: 

- wbcr.reports.custom. CertificationOrg.title = Certification Status 

- wbcr.reports.custom. CertificationOrg.desc = Lists certification 
status for selected Business Units(s), processes and controls 

- wbcr.reports.custom. CertificationProc.title = Process 
Certification Status 

- wbcr.reports.custom. CertificationCont.title = Control 
Certification Status 


Note: The titles for the CertificationProc and CertificationCont labels are 
added so that they will appear as part of the breadcrumb trail of the reports. 
There is no need to add the description (desc) label for these reports. 
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Additional material 


This Redpaper refers to additional material that can be downloaded from the 
Internet as described in this appendix. 


© Copyright IBM Corp. 2005. All rights reserved. 
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Locating the Web material 

The Web material associated with this Redpaper is available in softcopy on the 
Internet from the IBM Redbooks Web server. Point your Web browser to: 

ftp://www.redbooks.ibm.com/redbooks/REDP4021 
Alternatively, you can go to the IBM Redbooks Web site at: 
ibm.com/redbooks 

Select the Additional materials and open the directory that corresponds with 
the redbookform number, REDP4021. 


Using the Web material 

The additional Web material that accompanies this Redpaper includes the 
following files: 

► Auditor Observations reports: 

- NoAcIHistAuditorObservations.rpt 

- AuditorObservations.rpt 

- HistAuditorObservations.rpt 

- NoAclAuditorObservations.rpt 

► Certification reports: 

- NoAcICertificationProc.rpt 

- NoAcICertificationCont.rpt 

- NoAcICertificationOrg.rpt 

► Catalog Import spreadsheet template and sample data: 

- CatalogSample.xls 
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Related publications 


The publications listed in this section are considered particularly suitable for a 
more detailed discussion of the topics covered in this Redpaper. 


IBM Redbooks 

For information about ordering these publications, see “How to get IBM 
Redbooks” on page 224. Note that some of the documents referenced here may 
be available in softcopy only. 

► WebSphere Product Family Overview and Architecture, SG24-6963 

► WebSphere Portal V5.0 Production Deployment and Operations Guide, 
SG24-6391 

► IBM WebSphere Application Server V5.1 System Management and 
Configuration, WebSphere Handbook Series, SG24-6195 

► IBM WebSphere Portal for Multiplatforms V5 Handbook, SG24-6098 

► WebSphere Portal Server and DB2 Information Integrator: A Synergistic 
Solution, SG24-6433 

► DB2 UDB V8 and WebSphere V5 Performance Tuning and Operations 
Guide, SG24-7068 

► Content Manager Implementation and Migration Cookbook, SG24-7051 

► Performance Tuning for Content Manager, SG24-6949 

► Content Manager Backup/Recovery and High Availability: Strategies, 

Options, and Procedures, SG24-7063 


Online resources 

These Web sites and URLs are also relevant as further information sources: 

► IBM Workplace for Business Controls and Reporting Information Center: 

http://www.1otus.com/1dd/notesua.nsf/ddaf2e7f76d2cfbf8525674b00508d2b/36b49 
62eld7518fe85256ffl006dbac9 

► IBM WebSphere Portal Information Center 

http://publib.boulder.ibm.com/pvc/wp/500/ent/en/InfoCenter/index.html 


© Copyright IBM Corp. 2005. All rights reserved. 
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► Information Systems Audit and Control Association (ISACA) 

http://www.isaca.org 

► Committee of Sponsoring Organizations (COSO) of the Treadway 
Commission 

http://www.coso.org 

► “Leverage on demand solutions to help you create strategic Sarbanes-Oxley 
compliance plans” 

ftp://ftp.software. i bm.com/software/1otus/pub/1 otusweb/sox/10703070_Lotus_f 
inal .pdf 

► IT Controls for Sarbanes Oxley, Information Systems Audit and Control 
Association (ISACA) 

http://www.isaca.org 


How to get IBM Redbooks 

You can search for, view, or download Redbooks, Redpapers, Hints and Tips, 
draft publications and Additional materials, as well as order hardcopy Redbooks 
or CD-ROMs, at this Web site: 
ibm.com/redbooks 


Help from IBM 

IBM Support and downloads 

ibm.com/support 

IBM Global Services 

ibm.com/services 
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